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Quantum theory has found a new field of applications in the realm of information 
and computation during the recent years. This paper reviews how quantum physics 
allows information coding in classically unexpected and subtle nonlocal ways, as well 
as information processing with an efficiency largcly surpassing that of the present and 
forcsccablc classical computers. Some outstanding aspects of classical and quantum 
information theory will be addressed here. Quantum teleportation, dense coding, 
and quantum cryptography are discussed as a few samples of the impact of quanta 
in the transmission of information. Quantum lògic gates and quantum algorithms 
are also discussed as instances of the improvemcnt in information processing by 
a quantum computer. We provide finally some examplcs of current experimental 
realizations for quantum computers and future prospects. 
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I. INTRODUCTION 

The twcnticth century we have just left bchind opened 
with the discovery of quanta by Planck (1900) and fol- 
lowed with the formulation of the quantum theory during 
the first dècades. As the century went by, we have wit- 
nessed a continuous and growing increase in the number 
of applications of quantum mechanics, which began with 
atòmic physics and then the number kept growing (nu- 
clear and particle physics, òptics, condensed matter, . . . ) 
and became countless. As the century was closing we 
have come across an unexpected new field of applications 
that have given quantum physics a refreshing twist, keep- 
ing the pace even with the newest trends of discoveries, 
such as the field of new technologies of information and 
computation. In a sense and having in mind the times we 
live, those of the information era and the new technolo- 
gies, it seems inevitable that physics gets affectcd by the 
presence of computers all over around, which arc more 
and more powerful and have revolutionizcd many areas 
of science. What is more surprising is the fact that quan- 
tum physics may influence the field of information and 
computation in a new and profound way getting at the 
very root of their foundations. For instance, fundamental 
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aspccts of quantum mcchanics such as those entering thc 
EPR (Einstcin, Podolsky and Rosen, 1935) states have 
found unexpected applications in information transmis- 
sion and cryptography. 

But, why has this happened? It all begun by realizing 
that information has physical nature (Landauer, 1991; 
1996; 1961). It is printed on a physical support (the 
rocky wall of a cave, a clay tablet, a parchment, a sheet 
of paper, a magneto-optic disk, etc), it cannot be trans- 
mitted faster than light in vacuum, and it abides by the 
natural laws. The statement that information is physical 
does not simply mean that a computer is a physical ob- 
ject, but in addition that information itself is a physical 
entity. In turn, this implies that the laws of informa- 
tion are restricted or governed by the laws of physics. In 
particular, those of quantum physics. In fact thcse ones, 
through thcir linearity, cntanglcmcnt of states, nonlocal- 
ity and indetermination principle make possible new and 
powerful transmission tools and information treatments, 
as well as a really prodigious efhciency of computation. 

A typical computation is implcmentcd through an al- 
gorithm in a computer. This algorithm is now regarded 
as a set of physical operations and the registers of the 
quantum computer are considered to be states of a quan- 
tum systcm. Moreover, the familiar operation of initial- 
izing the data for a program to run is replaced by the 
preparation of an initial quantum state, and the usual 
tasks of writing programs and running them correspond, 
in the new formulation, to finding appropriatc Hamilto- 
nians for their time evolution operators to lead to the 
desired output. This output is retrieved by a quantum 
measurement of the register, and this fact has deep im- 
plications on the way quantum information must be han- 
dled. 

We shall see that information and computation blend 
well with quantum mcchanics. Their combination brings 
unexpected results on the way information can be trans- 
mitted and processed, extending the capabilities known 
so far in thc field of classical information to unsuspected 
limits, sometimes entering the realm of scicncc-fiction, 
sometimes surpassing it. 

The advance has been remarkable mainly in thc field of 
cryptography, where it has provided systems absolutely 
securc for thc quantum distribution of keys. Quantum 
computation is also one of the hot rescarch ficlds in cur- 
rent physics; the same applies to the challenge poscd 
by the experimental realization of a computer complex 
enough to implement the new algorithms that exploit 
the fantàstic possibilities of the massive parallelism char- 
acterizing those quantum computers, and that would 
amount to a dramàtic improvement for solving hard or 
classically untractablc problems. 

We first review the essentials of quantum information 
theory and then discuss scveral of thcir conscquenccs and 
applications, some of them specifically quantum such as 
quantum teleportation, dense coding; some of them with 
a classical echo such as quantum cryptography. Next 
we review thc fundamentals of quantum computation de- 



scribing the notion of a quantum Turing machinc and its 
practical implementation with quantum circuits. We de- 
scribe the notion of elementary quantum gates for univer- 
sal computation and how this extends the classical coun- 
terpart. We also provide a discussion of the bàsic quan- 
tum algorithms and finally we give a general overview 
of some of the possible physical realizations of quantum 
computers. 

Both in thc information and computation parts we 
make special emphasis in presenting first an introduc- 
tion to the classical aspeets of these disciplines in order 
to better clarify what quantum theory adds to them in 
the new formulations of these theories. Actually, this is 
also what we do in physics. 

II. CLASSICAL INFORMATION 

Information is discretized: it comes in irreducible pack- 
ages. The elementary unit of classical information is the 
bit (or cbit, for clàssic bit), a classical system with only 
two states and 1 (False and True, No and Yes, . . . ). Any 
text can be coded into a string of bits: for instance, it 
is enough to assign to each symbol its ASCII code num- 
ber in binary form, appended with a parity check bit. 
Example: quanta can be coded as 

11100010 11101011 11000011 11011101 11101000 11000011 

Each bit can be stored physically; in classical comput- 
ers, each bit is registered as a charge state of a capacitor 
(0 = discharged, 1 = charged). They are distinguishable 
macroscopic states, and robust enough or stable. They 
are not spoiled when they are read in (if carefully done) 
and they can be cloned or replicated without any prob- 
lem. 

Information is not only stored; it is usually transmit- 
ted (communication) , and sometimes processed (compu- 
tation). 

A. The Theorems of Shannon 

The classical theory of information is due to Shannon 
(1948,1949), who in two seminal works definitively laid 
down its principies in 1948. With his celebrated noise- 
less coding theorem he showed how much compressible a 
message can be, or equivalently, how much redundaney 
it has. Likewise with his coding theorem in a noisy chan- 
nel he also found what is the minimum redundaney that 
must be present into a message in order to be compre- 
hensible when reaching the receiver, despite of the noise. 

Let A := {ai, ü\a\} be a finite alphabet, endowed 
with a probability distribution pa ■ ai t— > pa{clí), with 
Skí<|a| PaÇcíí) = 1. Sometimes we shall be write this 

as A := {ai,ïJA(<2í)}[='i- Let us consider messages or 
character strings xiX2---x n £ A n , originating from a 
memorylcss source, i.e., a symbol a appears in a given 
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place with probability pa(cl), indcpcndcntly of the sym- 
bols entering the remaining sites in the chain. 1 The first 
Shannon's theorem asserts that, if n 3> 1, the informa- 
tion supplied by a genèric message of n characters (and 
thus (nlog 2 |vl|)-bits long) essentially coincides with that 
transmitted by another shorter message, of bit length 
nH(A), where H is the so callcd Shannon's entropy 

H(A) = - PA(ai)log 2 pA(cii)€[0,log 2 \A\}. (1) 

l<i<|A| 

In othcr words, each character is compressiblc up to 
H(A) bits on the average; moreover, this result is optimal 
(Welsh, 1995; Roman 1992; Schumacher, 1995; Preskill, 
1998). 

The bàsic idea undcrlying the proof is simple: it 
amounts to take notice only of the typical messagcs. Lct 
us assume for clarity a binary alphabet (A = {0, 1}). Let 
p, 1 — p be the probabilities of 0,1, respectively. In a long 
message of n bits (n> 1), there will be approximately 
np Os. Let us call typical messages those with a num- 
ber of Os of the order of np. Asymptotically (n — ► oo), 
there are 2 nH ^ many of them, among a total of 2™ mes- 
sages. The probability P : (x\,...,x n ) i— > p(xi)...p(x n ) 
of the messagcs (n ^> l)-bits long tends to get concen- 
tratcd on this reduced enscmblc consisting of the typi- 
cal strings, which explains Shannon's result. The atyp- 
ical messages are ignorable in probability. It suffices to 
transmit through the communication channel (assumed 
perfect, noiseless) the binary number of length nH{A) 
assigned to each typical message upon common agrcc- 
ment between the sender and the recipient, so that the 
cmittcd message can be identified on reception. 2 The op- 
timality of Shannon's first theorem is easily arguable: all 
2 nH ( A > typical sequences are asymptotically equiproba- 
ble and thus they cannot be represented faithfully with 
less than nH(A) bits. 

If the transmission channel is noisy (the common case), 
the information fidelity gets lost, since some bits may get 
corrupted along the way. To fight the noise of a given 
channel one resorts to redundaney. by clevcrly coding 
each symbol with more bits than strictly necessary so 
that the erroneous bits might be easily detected and re- 
stored. A price is payed however, since the transmission 
of essential information gets clearly slower. Shannon's 
wondcrful second theorem quantifics this issue. 



1 The natural languages are not like these (for instance, in the 
usual Spanish there exists no digram like Qn). Nevertheless, they 
can be considered, to a good approximation, as limit of ergodic 
Markovian languages to which the Shannon theorem can be ex- 
tended (Welsh, 1995). 

2 There exist very practical methods for classical coding with 
an efficicncy close to the optimal value, such as the Huffman code 
(Roman, 1992), with múltiple applications (facsimile, digital TV, 
etc). The essence of this code is to assign shorter binary strings 
to the most freqüent symbols. 



Lct X be the alphabet of the transmitter station (of 
a memoryless source) , and Y be the one of the receiver 
station. Let (pY\x(Uj\xi)) be the stochastic matrix for 
that channel, with entries given by the probabilities that 
the input symbol Xi G X appears as y.i G Y on out- 
put. The marginal probability distribution for Y is given 
bypyQ/j) = HiiPY,x(yj,Xi) ■=^ í py\x{ví\xï)px{x í )). 
The channel ability to transmit information is measured 
by its capacity C := sup px I(X : Y) = max px I(X : Y), 
where I(X : Y) = I(Y : X) is the mutual information 

I(X : Y) == £X>,;rte,*i)log a PY ' X ^f (2) 

or the information about X (Y) conveyed by Y (X). The 
convexity of the log makes I(X : Y) > (knowing Y can 
never lowcr the information about X). 

The capacity C may be viewed as the number of output 
bits per input symbol which are correctly transmitted. 
Its computation is usually very difficult. 

Many channels are binary symmetric: each transmit- 
ted bit has the same probability p of being reversed, i.e., 
of being erroneous upon arrival. These are the channels 
considered herc. For them we have C = 1 — i?2(p) =: 
C(p), with H 2 {p) := -plog 2 p-(l -p)log 2 (l -p). Note 
that C(i) = 0, being such a channel totally useless for 
transmission since it transforms any input binary word 
into a random ouput sequence. Thus we will assume that 
p<\. 

In the transmission of a word w G {0,1}", an error 
e € {0, l} ra may be produced such that the received word 
is w' — w + e (addition mod 2). A subset of words C n C 
{0, 1}™ encoding (i.e. in bijective correspondence with) 
a collection of messages is said to be an error- correcting 
classical code (ECCC) for e G £ n C {0, 1}™ if (w + £ n ) H 
(w'+£ n ) = for any w ^ w' G C n . That is, no matter the 
distortion produced by the errors on a codeword w £ C n , 
there is no overlapping between the different sets w + £ n , 
and the decoding is possible without ambiguities. If upon 
previous agreement, it is known which specific message 
corresponds to each codeword, it will be enough to send 
this one instead of the message; the latter will be capable 
of being recovered at the other side of the channel after 
"cleaning-up" the received word from the possible errors 
which can affcct it . In this way the transmitted codeword 
can be identified and its decoding donc aftcrwards. In 
the practical use of a code C n , mistakes can oceur in the 
restoration of the messages, caused by errors outside £ n , 
that is, out of the security framework of the code. But 
as long as the frequeney of failures remains very low, 
the risk will be bearable. It is apparent that for this to 
happen it will be convenient to put very distant apart 
(in the Hamming sense, that is, in the number of bits in 
which they diffcr) the different words of the code, for the 
possibility that the errors will cause collisions between 
two distinct words of code will diminish in this fashion. 

One defines the rate of the code C n as R := log 2 \C n \/n. 
It measures the number of informative bits per transmit- 
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tcd bit. It is easy to argue that in order for the codc to be 
rcliable, its rate must not overcome the capacity of the 
channel: R < C. In fact, when transmitting a codcword 
w with length n, there will be produced a number of np 
reversed bits on average, and hence an error e which will 
be likely one of the 2 nH2 ^ typical sequences. For the 
dccoding to be reliable, there should be no overlapping 
between the error spheres with centers at the codcwords, 
and thus 2 nH ^\C n \ < 2™, thereby R < C. This result 
suggests that the capacity C is an upper bound to all 
faithful transmission rates. 

The second Shannon's theorem closes this issue in the 
asymptotic limit. Suppose given a binary symmetric 
channel, a transmission rate R not exceeding the capac- 
ity of the channel (0 < R < C), an e > arbitrar- 
ily small and any sequence {N n }f of intcgers such that 
1 < N n < 2 nR . Then, the theorem asserts that there 
exist codes {C n C with N n elements (codewords), 

appropriate decision schemes for decoding, and an inte- 
ger n(e), such that the fidelity F(C n ) or probability that 
a given decoded message coincides with the original is 
> 1 — e (that is, the maximum probability of error in the 
identification of the codeword on reception is < e) for 
all n > n(e) (Roman, 1992; Welsh, 1995). Moreover, it 
is possible to makc the error probabilities to tend to 0, 
cxponentially in n. 

The theorem is optimal: the capacity C should not be 
exceeded if the transmission is to be faithful. As a matter 
of fact, it is known that for each sequence of codes {C n }^° 
with \C n | = \2 nR ] , whose rate exceeds the capacity of 
the channel (R > C), the average error probability tends 
asymptotically to 1. 

The proof of this Shannon's theorem relies on codes 
chosen at random and decoding schemes based on the 
maximum likelihood principle; unfortunatcly, it is not 
constructive, but existential, leaving open the practical 
problcm of finding out codes which cleverly combino a 
good efficicncy in correcting errors, a simple decoding 
and a high rate. 

B. Classical Error Correction 

Errors in the storage and processing of the information 
are unavoidable. A classical way of correcting them is 
resorting to redundaney (repetition codes): each bit is 
substituted by a string of n > 3 bits equal to it, 

i-> 00^00, 1 i ► 11...11, (3) 

n Os n ls 

and, if by any chance, an error oceurs in such a way that 
one of the bits in one of those strings gets reversed (for 
instance 00000 i— ► 01000), to correct the error it is enough 
to invoke the majority vote. Let p be probability for any 
bit to get spoiled. In general, several bits of the n-tuple 
may be reversed. When p < i, the probability for the 
majority rule to fail can be made as smaller as desired, 



taking n sufficicntly large. It is apparent that if the n- 
tuples of bits are systematically and frcquently examincd, 
so that it is very unlikely that errors oceur at two or 
more bits, then the application of this simple method 
will clean-up the n-tuples from errors and their error-free 
state will be restored. However, the price to pay might 
be too high since with codes of length n sufficiently large 
so as to insurc a small error during the detection, the 
transmission rate can turn up prohibitivcly small (in our 
case it is 1/n source bits per channel bit). 

So far, we have been describing correction codes C C 
{0, 1}™ for errors in £ C {0, 1}™. More generally, we 
can consider g-ary alphabets (whose symbols we shall 
assumc to be the elements of the finite field ¥ q with 
q = p' elements, p being a prime). Given two words 
x,y G {0,1, . . . ,q — 1}™, let dn(x,y) be its Hamming 
distanec (number of locations in which x, y diffcr). Let 
d := dn(C) := iní x ^ ye c dn(x, y) be the minimum dis- 
tance of the code. Then, the code C allows the correction 
of errors that affect to a maximum number i := [^(rf— 1)J 
of positions: 3 it is enough to replace each received word 
by the closest codeword in the Hamming mètric. 4 Thcrc- 
fore, the most convenient codes are those with a high d, 
but this is at the expense of decreasing \C\. If M is the 
number of codewords, we shall call it a (n, M, d) q code. 
Its rate is defined as R :~ nT 1 log ç M . 

When C is a linear subspace of F™, the code is called lin- 
ear. Therefore the linear codes are of the form (n, q k ,d) q , 
where k is the dimension of the linear subspace C; for 
them d coincides with the minimal Hamming length of a 
non-vanishing codeword, and the searching of the code- 
word nearest to each received word is greatly simplified. 
It is customary to represent them as [n, k,d] q , or sim- 
ply as [n, k] q when d is irrelevant. Their rate is k/n. 
Given a code C of type [n, k] q , the matrix G, k x n, with 
rows given by the components of the vectors in a basis 
of C is called a generator matrix for C. Dcfining now in 
F™ a sealar product in the canonical way, we can intro- 
duce the dual code C 1 - of C. A generator matrix H for 
is known as a parity-check matrix for C; notice that 
C = {u G F™ : Hu = 0}, what justifies in part the name 
given to H, for it allows us to easily "check" whether a 
vector in F™ belongs or not to the subspace C. 

The coding applies bijectively and linearly F^ onto a 
code C C F™ of type (n,q k ,d) q , and it is implemented 
as follows. Let {ei, . . . , efc} C F™ be a basis of C. Given 
a source word = (wi, . . . ,Wk) G F^, it gets assigned 
a codeword c(w) := ^2 i Wiei. In terms of the generator 
matrix, w 1 i— > w t G. Let us call it : w i— ► c(w) this injec- 
tion. During the transmission, c(w) could get corrupted, 



3 Notation: [^J (fal) i s the largest (smallest) integer < x (> x). 

4 For instance, for the repetition code C = {0 . . . 0, 1 . . . 1, . . . ,(<?— 
1) . . . (q — 1)}, with q codewords of length n, we have d = n, and 
thus it exactly correets [(n — 1)/2J errors. 
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becoming u := c(w) + e, whcrc e G £ is a possible er- 
ror vector. It is evident that e G u + C. In order to 
decode it, the criterion of minimal Hamming distance is 
applied, replacing u by 7r _1 (ii — uq), where uq is an ele- 
ment of the coset u + C which minimizes the distance to 
the origin (such uq is known as a leader of u + C). The 
linearity of the code allows us to economize in this last 
step. We makc a look-up table containing for each coset 
v + C G F"/C its syndrome Hv (which uniquely charac- 
terizes the coset) and a leader v . Upon receiving u as 
a message, the syndrome Hu is computed and its corre- 
sponding leader uq is searched in the table; next, decod- 
ing proceeds as stated before (Macwilliams and Sloane, 
1977; Roman, 1992; Welsh, 1995). The original message 
is faithfully retrieved iff the error coincides with one of 
the leaders in the table. 

Somc of the most relevant linear codes are 
(Macwilliams and Sloane, 1977; Roman, 1992; Welsh, 
1995): 

1. The repetition code C = {0 . . . 0, 1 . . . 1, . . . , (q — 
1) . . . (q — 1)} is of type [n, 1, n] q , and although for it the 
minimum distance is optimal, its rate is dreadful. 

2. The Hamming codes H ç (r) are arguably the most 
famous of them all. They are codes of the type [n = 
1 + q + ... + q r , k = n — r, d = 3] ? , and they are perfect, 
in the sense that the set of Hamming spheres with radius 
[(d — 1)/2J and center at each codeword fill F™. These 
codes have rates R = 1 — r/n which tend to 1 as n — > oo, 
but they only correct one error. 

For instance, H2(3) is of type [7, 4, 3] 2 and rate 4/7. A 
parity-check matrix for this code is 

/0 1 1 1 l\ 
#=0110011. (4) 
\1 010101/ 

Its decoding is particularly simple. Lct u be the word 
received instead of the codeword w, and assume that u 
has only one corrupted bit. The syndrome s{u) := Hu 
coincides in this case with the binary expression of the 
position occupied by the erroneous bit. Negating this 
single bit will thus suffice to clean the word to get the 
correct codeword. For examplc, if u = 0110001, then 
s(u) = 110, so that the incorrect bit is the sixth one, and 
hence w = 0110011. 

3. The Golay codes G24 and G23 are binary, of type 
[24,12,8]2 and [23, 12,8]2, respectively. They are proba- 
bly the most important codes. 

The code G24 is self-dual, i.e. C = C , what simplifics 
decoding. Its rate is R = 1/2, and allows the correction 
of up to 3 errors; it was used by NASA in 1972-82 for the 
transmission of color images of Jupitcr and Saturn from 
the Voyagers. 

The code G23 is perfect, and it gives rise to G24 when 
augmented with a parity bit. 

The Golay codes G12 and Gn are ternary, of type 
[12,6,6)3 and [11,6,5)3, respectively. As before, G12 is 
self-dual, whilc Gn is perfect and originates G12 when 
appcnded with a parity bit. 



The codes G24 and G12 have very peculiar combinato- 
rial properties; their groups of automorphisms are M24 
and 2.M12, where M24 y M12 are the famous sporadic 
groups of Mathieu. This latter group is the subgroup of 
S12 generated by two special permutations of 12 cards 
labeled from to 11: 0,1, 2, ...,11 i-> 11, 10, 9, and 

0. 1, 2, 11 h-> 0, 2, 4, 6, 8, 10, 11, 9, 7, 5, 3, 1. It is also the 
group of motions of the form t~ítJ 1 on a "Rubick" icosa- 
hedron, where r» indicates a rotation of angle 27r/5 de- 
grees around the i-th axis of the icosahedron (Conway 
and Sloane, 1999). As a matter of fact, it was the dis- 
covery of the Golay codes what drove further the study 
of the sporadic groups which resulted into the complete 
classification of the finite simple groups, with the dis- 
covery by Griess in 1983 of the "monster" o "friendly 
giant" group, finite and simple, an enormous subgroup 
of SO(47 x 59 x 71) with about 10 54 elements. 

4. The Rccd-Mullcr binary codes RM(r, m), with < 
r < m, arc of type [n = 2"\ k = J2 k <r d = 2 m ~ r h- 
Their rates, for fixed r, tend to when inercasing m. 
They rank among the oldest codes known. The code 
RM(1, 5), of type (32, 64, 16)2, is able to correct up to 7 
errors with a rate of R = 3/16. It was used in 1969-72 to 
transmit from the Mariners the white-and-black photos 
of Mars. 

5. The Rccd-Solomon codes gcneralize the Hamming 
codes. They have been heavily employed by NASA in the 
transmission of information during the Galileo, Ulysses 
and Magellan missions to the deep outer space, and cur- 
rently they are used all over, from CD-ROMs to the hard- 
disks of computers. 

6. The algebraic-geometric Goppa codes G q (D, G) are 
in turn interesting gencralizations of the Reed-Solomon 
codes. They have allowed to obtain familics of codes 
asymptotically good, that is, families containing infinitc 
sequences {[rij, fcj, di] q } of codes, with rij — > 00, such that 
the sequences {ki/rn,di/rii} of rates and minimum rela- 
tive distances are bounded from below by certain positivc 
numbers (Macwilliams and Sloane, 1977; Roman, 1992; 
Stichtcnoth, 1993; Blake et al., 1998). 

1. Some asymptotic bounds for linear codes 

To obtain good encodings it is advisable to use long 
codes which permit not only sending many different mes- 
sages but also present a large minimum distance which al- 
lows for correcting sufficiently many many errors. Given 
a code C — [n,k,d] q , let R(C) := k/n be its rate and 
S(C) := d/n its minimum relative distance. A theo- 
rem of Manin asserts that the set of hmit points of 
{(f)(C), R(C)) G [0, l] 2 : C is a code on FJ is of the form 
{(S,R) G [0,1] 2 : 5 G [0, 1], < R < a q {6)}, where 
a q (5) is a continuous function of 8 G [0,1], decreasing 
in [0,1 — q^ 1 ], and such that a q (0) = 1, a q (S) = if 
1 -q~ X < S < 1 fl256| ). 

Lct H q be the ç-ary entropy function H q (x G [0, 1 — 
q- 1 ]) :=xlog q (q-l)-x\og q x-(l-x)\og q (l-x), The 
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FIG. 1: Asymptotic bounds. The dark zone is limited by 
the lower and upper bounds mentioned in the text. 



following bounds for the function a q (5) in the relevant 
interval 5 G [0, 1 - q- 1 } are known (§& üM. |25(f): 



• Plotkin's upper bound: 

a^Kl-il-q- 1 )-^ (5) 

• Hamming's or sphere-packing upper bound: 

a q {5) < l-H q {5/2) (6) 

• Bassaligo-Elias' upper bound: 

a q (S) < 1 - H q (9 - y/0{O-8)), con 8 := (1 - q' 1 ) (7) 

• Gilbcrt-Varshamov' lower bound: 

a q (S) > l - H q (S) (8) 

This last one is very important, since it ensures the 
existence of codes as long as desired with minimum 
relativc distance S and rate R both asymptotically 
positive. 

• Tsfasman-Vlàdut-Zink' lower bound: if q is a 
square, then on [0, 1 — {^/q — one has 



a q {5) > 1 - 



1 
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(9) 



which is stronger than Gilbert-Varshamov' bound 
in some places from q = 7 2 on. 

For an illustration see Fig. [|. 



III. QUANTUM INFORMATION 

The quantum information theory, being an extension 
of the classical theory, is essentially a product of the past 
decade (Bouwmeester, Ekert and Zeilinger, 2000; Nielsen 
and Chuang, 2001). 

In quantum information, the analogue of the classical 
bit is called qubit or quantum bit (Schumachcr, 1995). 
It is a two-dimensional quantum system (for instanec, 
a spin i, a photon polarization, an atòmic system with 
two relevant states, etc), with Hilbert space isomorphic 
to C 2 . Bcsidcs the two basis states |0), |1), the system 
can have infinitely many other (pure) states given by a 
coherent linear superposition a|0) + /3|1). The Hilbert 
space of n qubits is the tensor product C 2 ®...<g)C 2 = C 2 , 
and its natural basis vectors are |0) (g> ... ® |0) =: |0...0), 
|0)(g)...<g>|l) =: |0...1),..., |1)®...®|1) =: |l...l). For this 
basis, also known as the computational basis, we shall 
assume the lexicographic ordering. Whcn appropriate, 
we shall briefly write \x) to denote |a: n _i...a;o}, with x :~ 



x + 2 Xl + ... + 2 n ~ 



_!. Thus, |5) = |0...0101) 




FIG. 2: Parameterization of the states of one qubit: 
Bloch sphere. 



the 



There exists the possibility of extending the two- 
level qubits to qudits or d-dimensional systems (d > 2) 
(Rungta et al., 2000). This lcads to an extension of the 
binary quantum lògic. Using d computational levcls we 
can reduce the number ni of qubits needed for a compu- 
tation by a factor of Ll°g2 > since the Hilbert space of 
nd qudits contains the space of n 2 qubits provided that 
d n " > 2™ 2 . 

Given an arbitrary state vector \^ ) = co|0) + Cl |l) of 
a qubit, the complex cocfficicnts co, c\ £ C amount to 4 
real parameters. However, if we parameterize them as 
Ci = riü^\i = 0,1 and factor out a global irrelevant 
phase, we find |*) = r |0) +rie i ^ 1 -*°)|l). Imposing |#) 
to be of unit norm, we can write it as 



(cosi^lO) +e^(sin|6l)|l) 



(10) 



where ro , r\ are now parameterized by the angles 
(f>l - 4> . 
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Thcse two angles represent a point in a S 2 sphere, 
called the Bloch sphere, as shown in Fig. ||. Thus, the 
(projective) Hilbert space of purc states of a singlo qubit 
can be parameterized by the points on this sphere. As 
a byproduct, this construction provides a nice represen- 
tation of the "classical" bits as particular points on the 
sphere. The classical bit (better the qubit state |0)) 
marks the north pole and the 1 sits on the south polc. 
Any other point on the sphere amounts to a non-trivial 
linear superposition of the basis states. The angle 9 is 
related to the proportion of |1) to |0) in the composition 
of that state, while the angle cj> is their relative quantum 
phase. 

It leaps to the eye from Fig. || that the information 
contained in a qubit is infinite as compared to the in- 
formation in a classical bit. In other words, at a given 
time, a bit can take on only one of the two vàlues, cither 
or 1, while a qubit can be in any of the infinitely many 
possible quantum states in (10). As we shall see later in 
detail, this fact is bàsic to what is known as "quantum 
parallelism" , a source of the unprecedented capabilities 
exhibited by a quantum computer. 

A quantum lògic gate 5 acting on a colleetion or quan- 
tum register of k qubits is just any unitary operator in 
the associated Hilbert space C 2 (Deutsch, 89). For in- 
stance, besides the identity, we have for 1 qubit the 1-ary 
gates X (or C/not), Y, Z, given by the Pauli matrices cr a 
(in the natural basis {|0), |1)}): 



wherc p is the density operator describing a normal 
quantum state. Given a convex decomposition p = 
^2 ie j Pil^i'Pil m pure states, it can be shown that 
S(p) < H(I) := -J2 l P^°E,2Pü equality holding if 
and only if the state vectors 4>i & re pairwise orthogonal. 
The Von Neumann entropy has the wcll-known proper- 
ties of concavity, strong subadditivity and triangularity 
(Thirring, 1983; Galindo and Pascual, 1990a; Galindo 
and Pascual, 1989): 



^iS(pi) + X 2 S(p 2 ) < S(Xipi + A 2 p 2 ), 
S(pabc) + S{p B ) < S(pab) + S(pbc), 
\S( PA ) - S(p B )\ < S(pab) < S(pa) + S( PB ), 



(14) 



-As 



1. The subscripts A, B, C denote 



with Ai. 2 > 0, Ai- 
subsystems. 

The first two rclations also hold in the classical theory 
of information. But the third property (whose second 
part is just the property of simple subadditivity) is pecu- 
liar. While in Shannon's theory the entropy of a compos- 
ite system can never lower the entropy of any of its parts, 
quantumly this is not the case. The EPR states of the 
form 2 _1 / 2 (|aa') + |òò')), 6 where a,b and a',ò' are given 
orthonormal pairs, provide us with an explicit counterex- 
amplc. 



2. No-cloning theorem 



NOT 



X 



Y 



-1(7 



z 



(11) 



The particular linear combination Un := 2~ X / 2 {X + Z) 
is the important Hadamard gate. 

The unary gates are easy to implement (for instance, 
on polarized photons, with ^A, ^A plates). 

On 2 qubits, the most important gate is controlled 
NOT (í/cnot), or exclusive OR (C/xor)j defined by 
Ucnot,Uxor ■ \x)\y) i-> \x)\x®y), where x,y are ei- 
ther 0,1, and ® means addition mod 2. This gate can be 
represented by the matrix 



C^cnot 



Uxor ■■= |0)(0|®l + |l)(l|®ükoT 
|(1 + a z ) ® 1 + |(1 - o-,). 



(12) 



The physical implementation of this gate is central to 
the applications of quantum information and will be ad- 



dressed later in Sec. X] 



The quantum partner of the Shannon entropy is the 
Von Neumann entropy 



S(P) 



Tr(plog 2 p), 



(13) 



A bàsic difference between classical and quantum infor- 
mation is that while classical information can be copied 
perfectly, quantum cannot. This is relevant to quantum 
communication protocols for should a quantum copier ex- 
ist, then safe eavcsdropping of quantum channels would 
be possible. In particular, we cannot create a duplicate 
of a quantum bit in an unknown state without uncon- 
trollably perturbing the original. This follows from the 
no-cloning theorem of Wootters and Zurek (1982). The 
statement is the following: let Tí := 7í or ig <£> ^copy be the 
joint Hilbert space of the original and of the copy, and let 
[/qcm be the linear (unitary) operator in TL representing 
the action of an allcged quantum copier machine: 



Uqcm ■ I*) 



copy, V|*)eWorig, (15) 



where |</>o) is the "blank" state of the copy. 

We claim that such a machine cannot exist. This is a 
remarkably simple application of the lincarity of quan- 
tum mechanics. For a contradiction, suppose it does ex- 
ist. Assume for simplicity that the object to copy is just 
a single qubit, and let |4')orig = «o|0) + ai|l). Then, 
lincarity implies 



ÜQCM|*>|0o) = «o|O>|O) + ai|l)|l) 



(16) 



5 A more extended study of quantum_ki£ic gates a.nH thn r clas- 



sical counterparts is presented in Sec. 1X.B and Sec. VIII. D 



"Actually, they are EPR states à la Bohm, that is, EPRB states 
(Bohm, 1951). 
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whcrcas the definition of a quantum copier yiclds 

t/QCM|*>|^0> = |*)|*) 

-a o ai|0)|l) + aiao|l)|0) + a?|l)|l) 



(17) 



The results ([h]), (0) are in general incompatible, what 
proves the assertion. 

A more general proof of the no-cloning theorem takes 
into account the environment and makes use of the uni- 



tarity of í7qcm: now TL := TL 



Tí c 



and 



^QCM|*>orig|0o)|£b> = |*)orig|*)copy|£;*),V|*) G H OI i S , 

(18) 

where \Eq) is the "rest" state of the "remaning world" 
(environment) before copying, and |-EV) its state after 
copying. Let us consider two actions of the QCM, 



C/qcm|*i)|0o)|-Bo) = 1*1)1*1)1^*,) 
C/qcm|*2>|0o)|S o ) = |* 2 )|*2>|-B* a ) 



(19) 



Taking the sealar product of these two actions and using 
unitarity yields (*i|* 2 ) = (*i|*2) 2 (^*! \Eq, 2 ). There- 
fore, since all these probability amplitudes have modulus 
< 1. then either (í'ilí'2) = or 1, and hence copying two 
different and non-orthogonal states \&2 is impossible. 

However, a known quantum state can be copied at will. 
Moreover, dropping the requirement that copies be per- 
fect, approximatc quantum copying machines may ex- 
ist (Buzck and Hillery, 1996). Should it be possible to 
make close to perfect copies then quantum cryptographic 
schemes might still be at risk. Quantum copying can also 
become essential in storage and retrieval of information 
in quantum computers. 



A. Entanglement and Information 

A quantum purc state \^) in a Hilbcrt spacc TL = 
®"=i ^» °f n qubits is said to be separable (with respect 
to the factor spaces {TL 1 , TL2, • ■ ■ , W n ) when it can be fac- 
torizcd as follows: 



(20) 



Otherwise the state \^) is callcd entangled. Famous ex- 
amplcs of entangled states are the EPR pairs (Einstein, 
Podolsky and Roscn, 1935) or Bell states like 



1^):=— [|01)±|10)] 
i=[|00)±|ll)] 



(21) 



which physically may be represented by a spin-i singlet 
and triplet or by entangled polarized (vertical and hori- 
zontal) photons (Kwiat et al., 1995), and the GHZ state 
(Greenberger, Horne and Zeilinger, 1989) 



which has been observed cxpcrimcntally in polariza- 
tion entanglement of three spatially separated photons 
(Bouwmeester et al., 1999). 

The concept of entanglement is the distinctive and 
responsible feature that allows quantum information to 
overcome some of the limitations posed by classical infor- 
mation, as exemplificd by the new phenomena of tclcpor- 
tation, dense coding, etc, to be cxplaincd in the follow- 
ing sections. Although it is simple to state mathemat- 
ically, entanglement leads however to profound experi- 
mental consequences like non-local correlations: when 
two distant apart parties A (Alice) and B (Bob) share 
say an EPR pair, 7 the measurement by A of her state 
univocally determines the state on the B side. Appar- 
ently, this implies instant information transmission, in 
sharp constract with Einstein's rclativity. However, to 
reconcile both facts we must notice that the only way 
the B side has to know about his state (without mcasur- 
ing it) is by receiving a classical communication from the 
A side, which does propagate no faster than the speed of 
light. 

For these bàsic reasons, entanglement is considered as a 
resource in quantum information (Bcnnctt, 1998), some- 
thing that wc must have available if we want to take ad- 
vantage of the new communication possibilitics exhibited 
by quantum protocols. 

When the system has two parts, namely TL := TLa ® 
TLb, it is called bipartite. In general, a multipartite system 
is of the form TL := (£)™ =1 TLi- We may think of entan- 
glement as a manifestation of the superposition principio 
when applied to bipartite or multipartite systems. Thus, 
genuinc multiparticle or many-body states exhibit entan- 
glement properties, which in the theory of strongly corre- 
lated systems are known as quantum correlations (Fulde, 
1993). 8 We may state that entanglement and quantum 
correlations are closely linked. 

Being a non-local concept, entanglement must be in- 
dependent of local manipulations performed on each of 
the A and B parties. These operations are represented 
by unitary operators Ua <8> Ub, in a factorizcd form, act- 
ing on the states of TL = Ha <8> TÍb, or they may be 
local measurements on either side. Moreover, classical 
communication is also permitted by the two parties. En- 
tanglement cannot be created by these local operations. 
However, factorizcd states can be obtained by local oper- 
ations, like measurements. Altogcther, these typc of lo- 
cal operations plus classical Communications arc known 
as LOCC transformations. The set LOCC is not a group, 
but a semigroup for the inverse of a given transformation 



7 It is usual in information theory to introduce a set of characters 
named as Alice (the sender), Bob (the recipient), and Eve (the 
eavesdropper) . 

8 These type of correlations are responsible for novel quantum 
phase transitions (Sachdev, 1999) where the transition is driven by 
quantum fluctuations instead of Standard thermal fluctuations. 



|GHZ) :=^=[|000) + |111) 



(22) 
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is not guaranteed to exist, due to possible irreversible 
measurements by each party. 

The characterization of entanglcmcnt for general quan- 
tum states (pure or mixed, bipartite or multipartite) is 
very difficult, in part due to the type of transformations 
allowed in the set LOCC. For entangled pure states of 
2 qubits or general bipartite systems A and B with di- 
mensions d A-, g?b respectively, entanglcmcnt is wcll under- 
stood in terms of thcir Schmidt (1906) decomposition: 
given an arbitrary state 

cZa <Zb 

I*)ab :=^£;C i j|oi)A|í» J ·)BGW = HA®HB (23) 

i=l j=l 

with {|ai)A}í A , {|&í)b}Í b orthonormal bases of Ha, Hb, 
then it admits a biorthonormal decomposition of the form 

r r 

I*)ab = Vwfel M fc>A|wfc)B, w k >0, ^w k = l, (24) 

fc=l k=l 

where {|míc)a}Ï and {|i>fc)B}ï are sets of orthonormal vec- 
tors for subsystems A and B, and r < d := min{dA,<ÍB} 
is the so called Schmidt rank of |\1/)ab (Schmidt, 1906; 
Hughston, Jozsa and Wootters, 1993; Ekert and Knight, 
1995). 9 The cocíBcicnts w k are called Schmidt weights. 

The Schmidt decomposition is cssentially unique in the 
following sense: the weights (multiplicitics ineluded) arc 
unique (up to order), and henec the rank; given a non- 
degenerate weight w k , the state vectors |iifc)A, |^fe)B, are 
unique up to reciprocal phase factors; when the weight 
Wk is degenerate, the corresponding states in Alice's side 
are unique up to an arbitrary unitary transformation Ua 
to be compensated by a simultancous unitary transfor- 
mation Ub = U A on the associated vectors in Bob's side. 

From the Schmidt decomposition it inmediately follows 
that a bipartite pure state | 1 Í)ab is entangled if and only 
if its Schmidt rank r > 1. 

From the point of view of the subsystem A, the descrip- 
tion of its quant um properites is realized by means of the 
reduced density matrix pa (and likewise for subsystem B 
with pb)- 

p A :=Tr B |*) AB (*| 

p B :=Tr A |*>AB(*| [ ' 



9 The Schmidt decomposition is equivalent to the Singular Value 
Decomposition (SVD) of the d\ X cÍb matrix C := (Cij) in lin- 
ear àlgebra (Press et al., 1992). Let d A < cÍb- Then C = 
UDV 1 , where U is an orthogonal d\ X d A matrix (U l U = ld A )> 
V is a d\ X de matrix representing a Euclidean isometry from 
C d * to C d B (i.e. VV t = l dA ), and D is the d A X d A diag- 
onal matrix diag( v 'uii , y/w r , 0, 0). Using the SVD dj = 

Efe=l ^ik\ /w kYfl» m ( p^ ) wc inmediately arrive at the Schmidt 
decomposition (124). 



where Ttb denotes the partial trace over the B subsys- 
tem (similarly for Tta and subsystem B). The Schmidt 
decomposition ( p4[ ) implies that 

r 

pa = w k \u k ) A (u k \ 

k= r (26) 

pb = w k \v k ) B (vk\ 
fc=i 

Another important implication of ( p4| ) is that as r < d, 
when a qubit state c?a = 2 is entangled to a qudit state 
efe > 2 then the Schmidt decomposition has at most two 
terms, no matter how large c?b is. 

Interestingly enough, the Schmidt decomposition has 
appeared independently again in the field of strongly cor- 
related systems through the density matrix renormaliza- 
tion group method DMRG (White, 1992; 1993). 10 

Oncc wc know whether a given bipartite pure state is 
entangled or not, next question is to get entanglcmcnt 
ordered: given two states |v1/i)abj |^ , 2)ab i which one is 
more entangled? No sufficiently general answer is known 
to this question. A tentative simple choice would be to 
measure entanglcment through the partial Von Neumann 
entropies (Bennett et al., 1996a): 

£(|*ab» := S(p A ) = S( PB ) (27) 

Such entropies do not increase under LOCC, but having 
E(\$ab)) < E(\^ab)) does not guarantee that an LOCC 
action may bring |*ab) to I^ab)- 

The theory of majorization provides us with a cri- 
terium to ascertain when any two entangled states can 
be LOCC connected (Nielsen, 1999). Given two vectors 
x = (xi,x 2 ,...,x d ), y = {yi,V2, ■ • ■ ,Vd) in K d , decreas- 
ingly ordered xi > x 2 > ■ ■ ■ x d , yi > yi > ■ ■ ■ Vd, we say 
that x is majorized by y, denoted x -< y, (equivalently, y 
majorizes x) if the following series of relations hold true: 

xi < yi 
xi+x 2 <yi+ y 2 

: (28) 

xi+x 2 ... x d -i <yi + y 2 --- yd-i 

xi + x 2 . . . x d = yi + y 2 . . . y d 

The majorization rclation is a partial order in R d : 1/ x -i 
x, Vx; 2/ x -< y and y < x ifí x = y\ 3 / \ï x < y and y -< z 
then x -< z. When the components of the vector x arc 
positivc x k > and normalizcd ^2 k x k — 1, they may be 



10 The Schmidt weights govern the truncation process inherent 
to the DMRG method: the highest weights are retained while the 
smallest (beyond a certain desired value) are eliminated. This trun- 
cation makes the exponentially large problem much more amcnable. 
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thought of as probabilitiy distributions as is Scc.y. The 
central result is the following: a bipartite state |\I/)ab 
can be transformed via LOCC operations into another 
state |4>)ab iff is majorized by w(\$>)), 

|*>ab — > \$)ab <=► Ml*)) -< (29) 

wherc w(\^)) is the ordered vector of eigenvalues or 
weights (multiplicities included) of the rcduced density 
matrix pa (p5|) . ([2(]) associated with \^)ab (similar ly for 

For example, let us consider the parties A and B shar- 
ing this couple of qutrit states in the basis {|0), |1), |2)}: 

\*)ab =l\00) + l\U) + \\22) 

[2 fï fï (30) 

Both states are entangled, but | v E')ab cannot be trans- 
formed into \&)ab or viceversa: they possess different 
types of entanglement. They are said to be incomparable 
or incommensurate (Nielsen, 1999; Vidal, 1999). 

However, for general multipartitc systcms the issue of 
how to relate the LOCC action with entanglement in a 
given pure state is an open question (Lewenstein et al., 
2000). 

A definition of entanglement for finite dimensional sys- 
tems with mixed states characterized by a density matrix 
p goes as follows (Werner, 1989): p is called separable 
when it can be written as a convex combination of prod- 
uct states 

r 

p = E A * ®?=i Pk\ A * > o. E A * = L ( 31 ) 
fc=i fc 

When p is not separable, one calls it an entangled mixed 
state. The situation about quantifying and qualifying 
entanglement is even worse for mixed quantum states 
(Horodccki et al., 1996a; Peres, 1996; Dür, Cirac and 
Tarrach, 1999; Gicdkc et al., 2001). There are partial 
characterizations of entanglement likc the Peres criterion 
(1996): a necessary condition for separability of p is that 
the matrices p tJ , j = 1, ...,r, obtained by partial trans- 
position 11 of p with respect to an arbitrary orthonormal 
basis of the factor space Tíj of the _j-component, is non- 
negative (p tJ > 0). The converse is true in the special 
cases C 2 ® C 2 , and C 2 ® C 3 (Horodccki et al., 1996b). 

There are also complete characterizations of entangle- 
ment in terms of entanglement witness operators and pos- 
itive maps (Horodecki et al., 1996a), but their classifica- 
tions turns out to be as complicate as the original prob- 
lem of entangled mixed states. 



B. Quantum Coding and Schumacher's Theorem 

Let now A := {\<f>i} , Pi}\^i be a "quantum alpha- 
bet" consisting of a set of distinct pure states (not nec- 
cssarily orthogonal) and their corresponding probabili- 
ties Ç^2iPi = !)■ We assign to it the following den- 
sity operator p(A) := ^2 i Pi\4>i){4ii\- A message emit- 
ted by a source of quantum signals is now a sequenec 
4>i±...i n '■= \4>íi)\4>í2) ■■■\4>i n ) °f "quantum characters" or 
"quantum symbols" , each produced with probability p, . 
indcpcndently of the others. The collection of messages 
with n symbols is representable by the density opera- 
tor p® n , which lives in a Hilbert space of maximum di- 
mension \A\ n = 2 nlog2 \ A \. The question naturally arises 
again as to whether it is possible to compress the informa- 
tion contained in p® n . And the answer, found by Schu- 
macher (Schumacher, 1995), is similar to Shannon's first 
theorem: asymptotically (n 1) the state p®" is com- 
prcssiblc to a state in a Hilbert space of dimension 2 nS ^ p \ 
with a fidelity F (probability that the decoded state co- 
incides with the state prior to coding) arbitrarily close 
to 1. In other words, it is compressible to nS(p) qubits. 
Then S(p) can be thought of as the average number of 
qubits of essential quantum information, per character of 
the alphabet. 

The idea of the proof follows the same guideline as 
for the classical theorem (Schumacher, 1995; Jozsa and 
Schumacher, 1994; Preskill, 1998). Let us diagonalizc 
p = ^ r A r |r)(r|. The Von Neumann entropy S(p) clearly 
coincides with the Shannon entropy H(D) of the clas- 
sical alphabet D := {r, X r }^ 1 . Introducing the typi- 
cal messages as those strings or tensor-product vectors 
V'ú.·.in := — l^ín) m t ne orthonormal basis that di- 
agonalizes p, such that its probability Ai 1 ...j n := J J , A, 

satisfies \i 1 ...i n ~ 2~ nH ( D ^ for n 3> 1, it is shown that 
ptgm j g aS y m ptotically concentrated on the typical sub- 
space T spanncd by them: Tt(Pt p® n ) ~ 1. Hcrc Pt is 
the orthogonal projection onto T . The strategy of com- 
pression amounts to make a measurement that projeets 
the original message 4>i 1 ...i n cither onto T, or onto T . 
If the former is the case, the projected state PT<j>h—i n is 
faithfully sent, upon coding it into nH{D) qubits. What 
one does in the remaining case is irrelevant, for the prob- 
ability that the result be (1 — Pt)0íi...í„ is asymptotically 
negligible. 

The average fidelity in this procedurc is perfect in the 
limit n — > oo, and as in the classical theory, the quantum 
compression thus obtained is optimal. 

If the alphabet A := {pi,Pi}^\ is made up of mixed 
states, the issue of the message compressibility gets more 
involved. To proper ly measure it, the Shannon entropy 
S(p := ^íPíPí) must yield to another more general con- 
cept, the so called Holevo information of the alphabet or 
ensemble A := {pí,Pí}^\ (Levitin 1969; Holevo, 1973; 



n Notc that p'J := ££ =1 X k p^ íg) ... ígl p^* ® - ® p[ n) > 0, 
since the coefficients and each factor matrix are non-negative, no 
matter which basis is chosen in Hj to define the transpose. 



11 



Preskill, 1998): 

X(A):=S(p)-J2PiS(Pi)- (32) 

i 

The Holevo information is similar to the classical mu- 
tual information. As I(X : Y) measures how the entropy 
of X gets reduced whcn Y is known, x(A) represents the 
reduction of the entropy S(p) of p, when the actual prepa- 
ration of this state as a convex combination p = Y2iPiPi 
is known. 

Assuming the states pi of the alphabet to be mutually 
orthogonal, that is, Tr(piPj) = for i j, it is not 
difficult to see that the state p® n is asymptotically (n 3> 
1) compressible to a state of n\(A) qubits, with fidelity 
tending to 1. Moreover, this result is optimal. 

Whcn the states are not orthogonal, the results are 
only partial: it is known that there does not exist an 
asymptotically faithful compression below x(A) per let- 
tcr of the alphabet, but it is still open the problem of 
whcthcr a compression of x{A) qubits/character is or not 
accessible in the limit n — ► oo. 



C. Capacities of a Quantum Channel 

For a quantum transmission channel wc can consider 
its capacity C for transmitting classical data, its capacity 
Q for transmitting quantum states cxactly, and its mixed 
capacities Q\ y 2 for transmitting quantum states, also ex- 
actly, but with the assistance of a classical side-channel 
between sender and receiver. 

Given a quantum channel Ai, usually noisy, Shannon's 
second theorem suggests to define the classical capac- 
ity C(AÍ) as the supremum of the transmission rates 
R := k/n of classical words fc-ebits long such that: 1/ 
Transmission is carricd out after an appropriate word 
coding as n-bits words that are sent by n forward uses of 
the channel Aí, followed by an associated decoding upon 
arrival (yielding words of k bits). 2/ The fidelity of the 
transmission is asymptotically 1. The quantum capacity 
Q(AÍ) is defined similarly by rcplacing the classical in- 
put/output words of k cbits by pure/mixed states of k 
qubits (Bcnnctt and Shor, 1998). 

The assisted quantum capacities Qi,2{AÍ) are defined 
in a similar fashion as Q{AÍ), but now the coding- 
decoding protocol may include arbitrary local operations 
on input and output states, and may resort to a classical 
communication channel in the input-to-output direction 
(subscript 1), or in both directions (subscript 2). 

It is possible to show that Q = Qi (Bennett et al. 
1996; Bennett and Shor, 1998); that is, sending classical 
messages from origin to destination does not increase the 
channel capacity. On the other hand, it is evident that 
Q < Q2, and using orthogonal states to transmit cbits 
leads to Q < C. But it is not known whether C < Q2 
holds or not. Channels arc known for which Q < Q2, and 
others for which Q2 < C. 



As asymptotically defined, it is not surprising that the 
computation of thesc capacities is usually difficult. In 
some instances they are known, as in the case of the 
so called quantum erasure channel, in which there is a 
probability p that the channel replaces the qubit by an 
erasure symbol orthogonal to the states {|0),|1)}, and 
the complementary probability 1—p that the qubit goes 
through exactly. For this type of channel C — Q2 — 
1—p, and Q = max{0, 1 — 2p} (Bennett, DiVincenzo and 
Smolin, 1997; Bennett and Shor 1998). 

Unlike the classical case, where the capacity can be 
computed maximizing the mutual information between 
input and output in a single use of the channel, the ca- 
pacities (whether classical or quantum) of the quantum 
channels do not usually allow for a similar computation. 
This is becausc in this quantum case it is allowed to code 
by entangling several successive states on input, and to 
decode by means of joint measurements on several states 
on output. However, for the case C cq (classical capac- 
ity with classical encoding and quantum decoding), it is 
known that C cq (A^) = sup p x{N{p)) (Bcnnctt and Shor, 
1998). 

Finally, prior entanglemcnt between sender and re- 
ceiver improves the transmission capacity. Lct Ce,Qe 
be the classical and quantum entanglcment-assisted ca- 
pacities of a quantum channel. A dircet consequcncc of 
the dense coding and quantum teleportation, to be de- 
scribed later, is the relation Ce = 2C for noiseless quan- 
tum channels, and the relation Q < Qe = è^E for any 
quantum channel (Bennett et al., 1999). 

D. Quantum Error Correction 

It is not possible in the quantum case just to plainly im- 
itate the classical methods of error corrections, for merely 
trying to check which qubits have been affected by errors 
irremcdiably damages the information content. Ncithcr 
can we make strings of equal quantum states, for the uni- 
tarity of quantum mechanics forbids the cloning of arbi- 
trary unknown quantum states. This cxplains the initial 
pessimism about the possible functioning of a quantum 
computer (Landauer 1994; Unruh, 1995). Then, what to 
do? Fortunately enough, in 1995 Shor provided us with a 
first solution showing an encoding system (of 9:1 bits) ca- 
pable of detecting and correcting one erroneous qubit. 12 
Soon after, new and more economical codes were dis- 
covered, such as the 7:1 code of Steane (1996a; 1996b), 



12 Actually, the very first idea of quantum error correction, at the 
time called "recoherence" , was proposed by Deutsch during his talk 
at the Rank Prize Funds Symposium on Quantum Communication 
and Cryptography (1993, Broadway, UK). This idea was later on 
dcvelopcd further (Bcrthiaume, Deutsch and Jozsa, 1994; Barenco 
et al., 1997). Even the idea of decoherence free subspaces (Palma, 
Suominen and Ekert, 1996) preceded Shor's 9-qubit code. 
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Calderbank and Shor (1996), and the 5:1 code of Bcn- 
nett et al. (1996). 13 It is not possible to present here a 
full account of the many remarkable contributions in this 
field during the last six years. It is currently a developing 
field which, as it happened with the classical error correc- 
tion codes, it has also been found unexpected connections 
with pure mathematics (Shor and Sloanc, 1998). 

The undcrlying idea of quantum error correction is to 
hide the information into subspaces of C 2 in order to 
protect it against decoherence and errors that only affect 
to a few qubits. To this end, if our system has fe qubits 
(called "logical qubits"), a quantum error correction code 
(QECC) encodes their states by means of a linear isomet- 
ric embedding it : C 2 *" <—* C 2 ", with n > fe. We shall de- 
note by Q the image subspace of n, and its states will be 
called code states (or codewords). The additional n — k 
qubits hclp us in protecting the information. The map ir 
should disguise the information by dclocalizing it, with 
the aim that errors (which often affect locally just one or 
a few qubits) may altcr it nothing or the least possible 
(Preskill, 1998; Steane, 1997; Aharonov, 1998). 

A system of n qubits in an initial pure state ip is not 
absolutely isolated. Upon interaction with the environ- 
ment in a state ai n , it suffers a transformation of the 
form ^ ® o; n i— > ^2 r [E r ij}) (g) a r , where the operators 
E r , < r < 2 2 ™ — 1, are Pauli operators (elements of the 
set fW := {1,X,Y, Z}® n ) and the environment states 
a r are not necessarily orthogonal neither normalized. Let 
us call the weight of an clement in pt") to the number of 
its nontrivial (i.e. X, Y, Z) tensor factors. If tp is a code 
state, then each term (E r íp) ®a r represents a component 
with a number of errors equal to the weight of E r . 

Given a colleetion of errors £ c P (n) formed by all the 
Pauli operators of weight < t, a QECC is said to amend 
up to t errors when it is capable of correcting every error 
in £. For that to happen it is necessary and sufficient 
that (j\E\E r \i) = m sr 6ji be fulfilled, for any arbitrary 
orthonormal basis {\i)} of the code subspace Q and all 
E r _ s G £, m being a selfadjoint matrix. This condition 
means somcthing quitc natural: first, that given any two 
orthogonal codewords \i), \ the sets E r \i), E r \j) of cor- 
rupted codewords must be mutually orthogonal, other- 
wise the perfect distinguishability of those words might 
get lost, and second, should (i\ElE r \i) depend on 
the detection of the error would yield information about 
the code state, thereby perturbing it. If m = id, the 
code is called nondegenerate, and the error subspaces 
E r Q, 1 ^ E r G £ are orthogonal to the code subspace 
Q and perpendicular one another. In this case it suf- 
fices to make a measurement, which is possible because 
of the orthogonality, that determines in which subspace 
the (n-qubits system) (gienvironment lies. If the result of 
that measurement is (E r íp) (£> a ri by applying to the re- 



sulting state of the system the unitary operator El we 
shall retrieve the original state ip free of error. In the 
degenerate case, an error syndrome does not singularizc 
the error, and the retrieval strategy gets more involved. 

The dístance d of a QECC is defined as the lowest 
weight of a Pauli operator E such that (j\E\i) ^ ceSjí- 
In analogy with the notation for CECCs, we shall write 
[[n, k, d]] 2 to denote a binary QECC (i.e., with qubits) of 
parameters n, k, d. It is easy to see that a code [[n, fe, d]]2 
allows the correction of í := \_(d — 1) /2j errors. 

There are also asymptotic bounds for the QECCs 
[[n, fe, d]]2 similar to those presented for CCCEs (Ekert 
and Macchiavello, 1996; Preskill, 1998). 

• Hamming's quantum upper bound: 

B := k/n < 1 - H 2 {t/n) - {t/n) log 2 3, n > 1. (33) 

• Gilbert-Varshamov' quantum lower bound: 

R > 1 - H 2 (2t/n) - (2í/n) log 2 3, n > 1. (34) 

As in the classical case, there exist QECCs which are 
asymptotically good. A diffcrcnt question (still open) is 
their explícit construction. 

Example of QECC: CSS codes. Let C\ be a linear and 
binary CECC of type [n, fci, di] 2 , and C 2 C C\ a subcode 
[n, fc2j^2]2 of Ci, with fe 2 < fci. Let C := C\/Ci be the 
quotient space, of dimension 2 fel_fc2 . 

Let us introduce a QECC Q c C 2 of dimension 2 k , 
with fe — fci — fe'2 , spanncd by the vectors 

\w) :=2- k2 ' 2 \w + v), weC (35) 

v£C 2 

Notc that this definition does not depend on the clement 
w chosen to represent the class w+C, and that the vectors 
\w) thus constructed form an orthonormal system. 

It can be shown that this quantum code recognizes and 
correets (up to) íb := — 1 )/2j bit-flip errors X, and 
t P b '■= L(^2 — 1 )/2j phase-flip errors Z, where d 2 is the 
distance of the code C 2 dual to C 2 . Likewise, the distance 
d of this quantum code satisfics d > min(di, d 2 ). 

The QECCs [[n, fe, d]) 2 thus constructed are called CSS 
(Calderbank-Shor-Steane) codes (Steane, 1996a; Steane, 
1996b; Calderbank and Shor, 1996; Preskill, 1998). 

The simplest and most illustrative example of a CSS 
code is the [[7, 1, 3]] 2 code of Steane, or quantum code of 
7 qubits. It is obtaincd taking as C\ the Hamming code 
H 2 (l) of type [7,4, 3] 2 , and as C 2 its dual (C 2 = C^), 
which is of type [7, 3, 4]2, and coincides with the even 
subcode (that is, the code formed by the codewords of 
even weight) 14 of C\. It correets one bit-flip error X, and 



An n : 1 code embeds 1 qubit into the space of n qubits. 



The weight of a binary word is defined as the number of its 
nonzero coordinates. 
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one phase-flip error Z. Thus, it also corrccts a mixcd 
error Y, but not a double bit-flip (or phase-flip) error. 
A generator matrix for H2(l) is 



G := 



1 1 1 1\ 

110 11 

1 1 1 1 

,1 1 1 0/ 



(36) 



and an associated parity matrix (generator for the dual) 
is 



'10 10 10 1' 
H := | 1 1 1 1 
,0001111, 



(37) 



Thus, a basis of code states is given by 

|0) := 8" 1/2 (|1010101) 

10001111) 

11011010) 
|ï) := 8" 1/2 (|0100101) 

1 1111111) 

(0101010) 



|0110011) + 

|0000000) + |1100110)+ 
10111100) + 11101001» 
|1000011}+- 

|1110000) + |0010110)+ 
11001100) + 10011001)) 



(38) 



Let us assume that we have a qubit with a state coded 
as \4>) := a|0) + /3|ï), in which a bit flip has occurred at 
the third place (X3 error). How can we detect and correct 
it? With the help of an auxiliary system or ancilla A of 
(n — fci = 3)-qubits long we form the state (X^cf)}) ® 
1000)^4, which we transform by the unitary map dcfincd 
on C 2 ™ g> C 2 ' by \v) (g> \000) A ^ \v) ® \Hv) A , with the 
result (X 3 \c/)})® \He) A , where e := 0010000 is the binary 
word that signals the place number 3 at which the bit-flip 
error occurred. But He =110, which is also number 3 in 
(reversed) binary form. That is, we have marked in the 
ancilla the syndrome of the error made. It is esscntial 
that the ancilla rcmains in a state depcnding only on the 
error, and not on the particular state of the system. Now, 
it is enough to measure the state of the ancilla in order 
to find out that the error made has been A3, to apply 
the operator X^ 1 to the system in order to retrieve the 
state free of error \<j>), and to bring back the ancilla to 
its neutral state |000),4. Finally suppose instead that the 
error to detect and correct is a phase flip at the fifth 
place (Z 5 error). Since Z 5 = U® 7 X b U® 7 , with C/ H bcing 
the unary Hadamard application, it is enough for the 
system to go through the operation í/f 7 , to apply then 
the previous strategy, and finally to act with Í7® 7 oncc 
more. 



E. Entanglement Distillation 

In addition to quantum error-correction codes (QECC) 
there is another method to beat decoherence which is spe- 
cially suitable when communicating over noisy channcls. 



It is bascd on the notion of entanglement distillation or 
purification: given two spatially separated parties A and 
B sharing a collection of entanglcd pairs, they are allowed 
to perform quantum local operations and classical com- 
munication (LOCC) (III.A) to extract a reduced samplc 
of pairs with a higher purity of entanglement. Entan- 
glement distillation serves as a useful tool for quantum 
communication providing us with more powerful proto- 
cols for dcaling with errors (decoherence) than quantum 
error correction (Bcnnctt et al., 1996a). 

We nced an entanglement measure (Vedral and Plcnio, 
1998). In distillation an apropriate entanglement mea- 
sure for a pure bipartite state |*ab) is ^(I^ab)) 
The reason comes from the fact that given n pure bipar- 
tite states I^ab), local actions and classical Communica- 
tions are enough to prepare m perfect singlet states with 
a yield ^ approaching E(\^>ab)) as n — > 00 (Bcnnett et 
al., 1996a; Bouwmeester, Ekcrt and Zeilinger, 2000). 

Finding optimal purification procedures in full gener- 
ality is open. However, explícit examples of entangle- 
ment distillation protocols EDP are known to work at 
least with particular types of mixed states, like the ini- 
tial EDP introduced by Bennett et al. (1996a), which 
shall be referred as the BBPSSW96 protocol. It is nei- 
ther optimal nor fully general, but it is the bàsic protocol 
known from which other gcncralizations arc derived. 



BBPSSW96 Protocol. 

There are two parties A and B, Alice and Bob, which 
communicate over a noisy channel. They share entangled 
pairs of states and they aim at obtaining singlots ( |2Ï| ) 
from them. Thcir bàsic strategy is to coordinatc their 
actions through classical messages sacrifying some of the 
entangled pairs to increase the purity of the remaining 
ones. 

Alice and Bob want to distill some pure entanglement, 
say in the form of singlet states (pï|), from a given 

collection of shared entanglcd pairs in an arbitrary bipar- 
tite mixed state p. The purity of p is measured through 
the fidclity 



F := (y~\p\y 



(39) 



relative to a perfect singlet. 

To be specific, in tiris protocol Alice and Bob share two 
entangled pairs, each one in the state 



W F := 
1 



(1 - f) [|* + >(* + | + |$ + )($+| + !*-><*" 



(40) 



These are called Wcrner states (1989). Notc that they are 
depolarized in the space orthogonal to the singlet. The 
initial state in (?ÍAi ® ^bJ ® (7Ía 2 ® Tí.b 2 ) is therefore 



po :— Wf ® Wf- 



(41) 
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TABLE I: The two columns on the right list the states 
after the action of BCNOT ( |4rj ) starting from the states 
on the left two columns. The notation is n.c.=no change. 



We assume that the Werner pairs have fidelity F > 1/2. 
Step 1. Unilatcrally, Alice (or Bob) applies the gate Y 
on each of her (his) two pairs of qubits. This brings po 
to 



Pi 



(Y ® 1) ® (Y ® í)po(Y ® 1) ® (F ® 1) (42) 



The Pauli operators map the Bell states ( pï| ) onto onc 
another in a 1:1 pairwise fashion, leaving no state un- 
changed (up to irrelevant phase factors which we will 
ignore); in particular Y ® 1 : |í ,± ) <-> l*^)- Thcn 



(43) 



with 



W£ := F|$ H 



,(i-f) [|*-)<$-| + |*-><*-| + |*+)<*+|] 



(44) 



The outeome is a new bipartite statc with a large compo- 
nent F > 1/2 of |$ + ) and equal components of the other 
three Bell states. 

Step 2. Bilaterally, Alice and Bob apply a CNOT oper- 
ation (|ï^) to each of their pairs of qubits. Lct us denote 
this joint operation as í/bcnot- Thus 

Pi !— > 92 '■— í^bcnotPiC^bcnot- (45) 

This composite operation acts conditionally on qubits 3 
and 4 (target qubits) depending on the states of qubits 
1 and 2 (source qubits), namely 

%cnot := 

(|0) (0| ® 1 ® 1 ® 1 + |1)(1| ® 1 ® C/ N ot ® !)■ (46) 
(1 ® |0)(0| ® 1 ® 1 + 1 ® |1)(1| ® 1 ® í/not) 



qubit 3 and Bob qubit 4. Then, they share their results 
by classical communication. If their results agree, they 
both keep their unmeasured source qubits, otherwise they 
discard them. 

The source state p' s thereby obtained is a convex combi- 
nation of the Bell projections, with a weight of |$ + )($ + | 
given by 



F' := 



F 2 + l(l-Ff 



F 2 + fF(l-F) + |(l- J F) 



(47) 



The rest 1 — F' is not equally distributed among the other 
three Bell states. 

Step 4- Unilaterally, Alice (or Bob) applies Y on her 
(his) source qubit in order to convert p' s into a state p s 
of fidelity F' (rclative to |*~)). 

Step 5. The state p s is not a Werner state. But there is 
a dcpolarizing procedure, called bilateral random oper- 
ation, which mutates it back into a such one while pre- 
serving its fidelity (Bennett et al., 1996b). 

The net result of this protocol is that with probability 
greater than j, one Werner pair of fidelity F' > F > i 
(p7|) is distiUed out of two Werner pairs of fidelity F > | . 

An initial supply of N Werner states of fidelity F is 
halved by a single run of the above protocol to a samplc 
of Werner states of fidelity F' > F. Itcrating the proce- 
dure as much as necessary, Werner states of purity .F ou t 
arbitrarily close to 1 can be distilled from a supply of 
input mixed states p of any purity F ln > i. 

The ovcrall result of the BBPSSW96 protocol is to sim- 
ulate a noiseless quantum channel by a noisy one assisted 
with local actions and classical communication (LOCC). 
It assumes tacitly that the quantum channel is shorter 
than its coherence length; otherwise one may resort to 
the assistance of quantum repeaters (Dür et al. 1999). 

There exist also EDP protocols using one single pair 
of qubits (Gisin, 1996; Kwiat et al., 2001). 

Finding the optimal distillation protocols for a general 
state and any number of copies is the unsolved distillabil- 
ity problem. Despite this lack of knowledgc, a surprising 
result is the existence of entangled states that cannot 
be distilled and are called bound entangled (Horodecki et 
al., 1998). Explicit examples of entangled mixed states 
of two qutrits that cannot be distilled were found by 
Horodecki et al. (1999). These states are useless for 
quantum communication protocols and it is important 
to distinguish them form distillablc states that are also 
called free entangled. In some general instanecs, it is pos- 
sible to conclude that a mixed state is bound entangled: 
if p i s enta ngled and satisfies the Peres criterion p*>j > 
(Sec. [II. A) then p is a bound entangled state (Horodecki 
et al., 1998). 



The possible results of acting with BCNOT on the Bell 
states as source and target states are summarized in Ta- 
ble |. 

Step 3. Alice and Bob measurc (with respect to the com- 
putational basis) their target qubits, i.e., Alice measures 



15 The map F t— > F' is strictly increasing in the interval 
and has an atractive fixed point at F = 1. 
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In summary, entanglcmcnt is a new resourcc for com- 
putation processing and communication that can changc 
information thcory both qualitativcly and quantitativcly. 
The concept of entanglement is an genuinely quantum 
phenomenon that allows us to extend the theory of infor- 
mation beyond its classical limitations. We have already 
seen error-correction codes as one essential application of 
entanglcmcnt and morc gcnuine cxamplcs likc tclcporta- 
tion, dcnsc coding. quantum key distribution, quantum 
computations, etc. are addressed in the forthcoming sec- 
tions. 
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FIG. 3: Scheme for quantum teleportation. 



IV. QUANTUM TELEPORTATION 

Copying classical states (be it an Etruscan fibula, a 
Goya painting, or a banknote) has never posed unsur- 
mountable difhculties to experts. It sufnces to thorough- 
fully observe the original as much as it may be required, 
taking care of not damaging it, to retrieve the informa- 
tion needed to make a copy of it. This carcful observa- 
tion does not alter in a noticeable way its state. But if 
the original to be rcproduccd is a quantum systcm in an 
unknown state <p, then any measurement (incompatible 
with Ptp) made on the system to get information on (j> will 
pcrturb uncontrollably the state destroying the original 
(Sec. Ell). Moreover, even having an unlimited number 
of copies of that state, infinitely many measurcmcnts will 
be necessary to determine that unknown state. 

For example, let us assume that Alicc has a qubit (say 
one spin ^) in a pure state. Bob needs it, but Alice does 
not have any quantum channcl to transmit it to him. If 
Alice knows the precise state of her qubit (for examplc, 
if she knows that her spin i is oriented in the direction 
n), it is enough for her to give Bob in a letter (classical 
channel) that information (the components of n) to en- 
able him preparing a qubit cxactly equal to Alice's. But 
if she happens not to know the state, she may choose to 
confess it to Bob, who would then be inevitably driven 
to prepare his qubit in a random way, obtaining a 50% 
fidelity on average. But Alice can also try to be morc 
cooperative, making for examplc a measurement on her 
qubit of n ■ cr, with n arbitrarily chosen, and then trans- 
mitting to Bob both the components of n and the result 
e = ±1 thus obtained. Armed with this information, 
Bob can prepare his qubit in the state ^(1 + en • er). The 
average fidelity so obtained is larger than before: 2/3. 
However, it is not enough. 

If Alice and Bob share an EPR pair, there exists a 
protocol, devised by Bennett et al. (1993), known as 
quantum teleportation, which resorting to the quantum 
entanglement of states and the non-locality of quantum 
mechanics, it allows Bob to reproduce Alice's unknown 
quantum state with the assistance of only 2 cbits of infor- 
mation sent by Alice to Bob through a classical channel. 
This procedure necessarily destroys Alice's state (other- 
wise it would violate the quantum no-cloning theorem, 



Sec. III). Let us have a closer look at the aforementioncd 
protocol (see Fig.|) (Rieffel and Polack, 1998). 

Let = a|0)+/3|l) be Alice's qubit, with a = cos ^9, 
= c i<#, sin±él . And let |$) := 2- 1 / 2 (|00) + |11)) bc the 
EPR state shared by Alice and Bob, with Alice having 
the first of its qubits, and Bob the second. The initial 
state is thus (g> |$), of which Alice can locally manip- 
u[ate its two first bits and Bob the third one. 
Step 1. Alice applies to the initial state the unitary op- 
crator U := ((C/ H ® 1)E/cnot) ® 1, acting with the CNOT 
gate on the first two qubits and next with the Hadamard 
gate H on the first one. The resulting state is 

|(|00)®|V)+|01)®A'|V>+|10)®2|V>+|ll)®y|V». (48) 

Step 2. Alice then measures the first two qubits, obtain- 
ing |00), |01), 1 10) , or 1 1 1> equiprobably. 16 Alice lets Bob 
know the result thus obtained, sending him two cbits: 
the pair of binary digits 00, 01, 10, 11 that characterizes 
it. As a byproduct of Alice's measurement, the first bit 
ceases to be in the original state l^), while the third qubit 
gets projected onto \tjj),X\ip),Z\ip),Y\ip), respectively. 
And step 3. Once Bob receives the classical information 
sent by Alice, he just needs to apply on his qubit the 
corresponding gate 1, X, Z, Y, in order to drive it to the 
desired state \ip). 

Noticc that this teleportation sends an unknown quan- 
tum state from one place (whence its vanishes) to an- 
other place (where it shows up) without really traversing 
the intermediate space. It does not violates causality, 
though. In the first part of the process, quantum corre- 
lations get established between the Bell states obtained 
by Alice and the associated states of Bob's qubit. In the 
remaining part to conclude the teleportation, informa- 
tion is transmitted by classical means, in the Standard 



16 Steps 1+2 amount to performing a Bell measurement on the 
initial state, thus correlating the Bell states 00 ± 11,01 ± 10 of 
Alice's two qubits with the states of Bob's qubit. It sufnces to note 
that 

|V>>|<£> = -SgIVXloo) + |n» = ^((|oo> + |n»h/>>+ 
(|oi> + \io))x\f) + (|oo> - |n»z|^> + (|oi> - |io»y|^>). 



16 



non-supcrluminal fashion. Notice also that in this "non- 
corporeal" process, it is the information about the quan- 
tum state, the qubit, and not the physical state itself, 
what gets passed from Alice to Bob. There has been no 
transportation whatsoever of matter, energy or informa- 
tion at a speed larger than the speed of light. 

It is nevertheless surprising in the quantum tclcpor- 
tation that all the information needed to reproduce the 
state \ip) = (cos|0)|O) + e^(sini^)|l) (information that 
is infinite for it requires to fix a point (9, </>) on the Bloch 
sphere with infmite precision, thus requiring infinitcly 
many qubits), can be accomplished with only 2 cbits, 
provided an EPR state is shared. This state, by itself, 
only generates potentially an infinite number of random 
and correlated bit pairs. 

An ebit is the amount of cntanglcmcnt in a two- 
qubit state maximally cntangled (usually, in a bipartite 
pure state with entanglement entropy 1) (Bennett et al., 
1996). As an "exchange currency", one ebit is a com- 
puting resource made up of a shared EPR pair. Writing 
a <s b to indicate that a resource a is implementable upon 
spcnding the resource b, the following rclations are quite 
apparent: 1 ebit < 1 qubit (to transmit 1 ebit it is cnough 
to send 1 qubit in one out of two orthogonal states), 
1 ebit < 1 qubit (to have 1 ebit it is enough to produce an 
EPR pair and to send one half of it to the other partner). 
With this formulation, the quantum teleportation allows 
us to write: 1 qbit < 1 ebit + 2 cbits (Bennett, 1995a). 

Quantum teleportation was rcalized cxpcrimcntally 
with photons for the first timc in two laboratorics 
(Bouwmeester et al., 1997; Boschi et al., 1998). This is 
at least what these authors claim, although several cri- 
tiques have been raised (Braunstein and Kimble, 1998; 
Vaidman, 1998; Braunstein, Fuchs and Kimble, 1999) 
(see however Bouwmeester et al. (1998; 1999)). In the 
experiment by the Roma group (Boschi et al., 1998), the 
initial state to be teleported from Alice to Bob was a 
photon polarization, but not an arbitrary one, for it co- 
incided with that of the Alice's photon in the shared EPR 
photon pair. In the experiments by the Innsbruck group 
(Bouwmeester et al., 1997), however, the teleported state 
was arbitrary. Teleportation was reached with a high fi- 
delity of 0.80 ± 0.05, 17 but with a reduced efficiency (a 
25% of cases). 

It does not seem to be easy to implcmcnt the theoret- 
ical protocol with a 100% effectiveness. The Bell opera- 
tor (which distinguishcs among the four Bell states of 2 
qubits) cannot be measured unless both qubits interact 
appreciably one each other (as it oceurs with the CNOT 
gate used in the protocol explained above), something 
which is very hard to achieve with photons. However, 
with àtoms in EM cavities the hopes are high. 



17 This fidelity overcomes the value | corresponding to the case 
in which Alice measures her qubit and communicates the result to 
Bob classically. 



Teleportation has also been realized of states which are 
parts of entangled states (Pan et al., 1998). 

It is also worthwhile mentioning quantum teleporta- 
tion of states of infinite dimensional systems (Furuzawa 
et al., 1998), namely, the teleportation of coherent op- 
tical states leaning on pairs of EPR squeezed states. In 
this experiment, whosc fidelity is 0.58±0.02 (higher than 
the maximum ^ expected without resorting to entangle- 
ment), a third party, the verifier Victor, supplies Alice 
with one state that is known to him, but not to her. After 
teleporting that state from Alice to Bob, Victor verifies 
on output if Bob's state is similar to the one he provided 
to Alice. In this sense, this experiment is different from 
all the others, and led the authors to claim priority in 
the realization of teleporting. 

Quantum teleportation, which doubtlessly will be ex- 
tended to entangled states from different kinds of systems 
(photons and àtoms, ions and phonons, etc), might have 
in the future remarkable applications for quantum com- 
puters and in computer networks (for example, combincd 
with prior distillation of good EPR pairs), as well as in 
the production of quantum memory records by means of 
teleportation of information on systems such as photons 
to other systems as trapped, well-isolatcd ions in cavities 
(Bennett, 1995a; Bouwmeester et al, 1997). 

V. DENSE CODING 

Classical information can also be sent through quan- 
tum channcls: to transmit the word 10011, it is 
cnough that Alice prepares 5 qubits in the states 
|1), |0), |0), |1), |1), sends them to Bob through the quan- 
tum channcl, and Bob measures each of them in the basis 
{|0), |1)}. Each qubit carries a ebit, and this is the most 
it can do in isolation. But if Alice and Bob share before- 
hand an entangled state, then 2 cbits of information can 
be sent from Alice to Bob with a singlc qubit. This is 
cast in the formula: 2 cbits < 1 ebit + 1 qubit. 

As a matter of fact, entanglement is a computing re- 
source that allows more efficient ways of coding infor- 
mation (Bennett and Wiesner, 1992). One of them goes 
under the name of quantum dense coding (or superdense 
coding). Assume, for instance, an entangled state of two 
photons. One of the photons goes to Alice, the other 
one to Bob. She performs one of the following operations 
on the polarization of her arriving photon: identity, fiip- 
ping (that is, «-^J, or Ü^Ü), change of ir in the rclative 
phase, and the product of the last two. Once this is done, 
she sends back the photon to Bob, who measures in which 
of the four Bell states the photon pair is. Then, in this 
fashion we have been able to send 2 bits of information 
over one single particle with only 2 states, that is, by 
means of a qubit. It doubles what can be accomplished 
classically. Thereby the name of dense coding. Moreover, 
if Eve intercepts the qubit, she cannot get from it alone 
any information whatsoever for its state is ^1. All the 
information lies in the entangled state, and Bob possesses 
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half of the pair. Actually, Alice has sent Bob 2 qubits, 
but the first one long ago, as part of the initial entangled 
state. This fact has allowed them to communicate more 
efhciently, resorting to the entangled state they shared. 

Dense coding is kind of the inverse process to tele- 
portation. In the latter the communication of two cbits 
allows us to reproduce a qubit state, while in the former 
the communication of a qubit carries along two cbits of 
information. 




FIG. 4: Scheme for dense quantum coding. 



The following is a protocol that thoroughfully imple- 
ments what we have just explained (Rieffel and Polack, 
1998): an EPR source supplies Alice and Bob with EPR 
two-particle states like |$) := 2" 1 / 2 (|00) + |11)), one of 
whosc partides gocs to Alice and the other one to Bob, 
who kcep them. Alice is supplicd with 2 cbits, which rep- 
resent the numbers 0, 1, 2, 3 as 00, 01, 10. 11 (sec figurc 
i- 

Step 1. Coding. According to the value of that num- 
ber, Alice effects on her EPR half the unitary operation 
1, Z, X, Y, which brings the EPR state to 00+11, 00-11, 
10+01, 10-01. Once this is done, she sends her half to 
Bob. 

Step 2. Decoding. Upon reception, Bob effects on the 
EPR pair first a CNOT operation, such that the state 
becomes 00+10, 00-10, 11+01, 11-01. He then mcasurcs 
the second qubit; if the finds 0, he already knows that 
the message was or 1, and if he finds 1, the message 
was 2 or 3. That is, he has gotten the first bit of the two- 
bit message. In order to know the second one, Bob next 
applics a Hadamard transformation on the first qubit, 
thereby the state becomes 00, 10, 01, -11, and measuring 
the first bit, if he finds 0, he knows that the message was 
or 2, and if he finds 1, the message was 1 or 3, that is, 
he has just gotten the second bit of the message. 

An experiment of this nature has been performed in 
Innsbruck (Mattle et al., 1996), using as a source of en- 
tangled photons the parametric down conversion that a 
non-linear crystal of /3-barium borate produecs: UV pho- 
tons get disintegrated (though with low probability) in a 
pair of softer photons, with polarizations which in a cer- 
tain geomètric configuration they are entangled. In that 
experiment it was achieved to send 1 qutrit/qubit, that 
is, log 2 3 = 1.58 cbits per qubit. 

In a recent experiment, in which the qubits are the 
spins of X H y 13 C in a clorophorm molecule 13 CHCl3 
marked with 13 C, and RMN techniques are employed to 



initializc, manipulate and read out the spins, the authors 
claim to have reached the 2 cbits per qubit (Fang et al., 
1999). 

The initial preparation of the entangled pair and the 
posterior transmission of the information qubit may have 
opposite senses; for example, Bob sends to Alice one half 
of the entangled state, keeping the other half for himself, 
and then Alice uses her qubit to send to Bob the desired 
information. This may be of interest if the cost in the 
transmission in one way is highcr than in the reverse way. 
Being the distribution of the entangled state prior to the 
communication, transmission hours at lower charges can 
be profited from. 

On the other hand, intercepting the message from Al- 
ice to Bob does not provide a trifle of information to an 
cavesdropper, for the message is entangled with the part 
of the EPR system possessed by Bob. Thercforc it is 
automatically an encryptcd emission (except if Eve in- 
tercepts both the original pair and the message and she 
replaces them). 

VI. CRYPTOGRAPHY 

A. Classical Cryptography 

Cryptography is a very important part of information 
theory since 1949, with the pioneering works by Shan- 
non at Bell Labs. He proved that there exist unbreak- 
able codes or perfectly secret systems (Shannon, 1949). 
As a matter of fact, one was known sinec 1918 (but 
not that it were unbrcakablc): the one-time pad system 
(onetimepad). It is also named VERNAM code (Vernam, 
1926), for it was devised by the young engineer Vernam 
at AT&T in December 1917 and proposed to the com- 
pany in 1918 (Kahn, 1967); with Vernam's system both 
ciphering and deciphcring of messages became automàtic 
tasks for the first timc. 



1. One-time pad 

To encode with the one-time pad one starts from the 
plain or source text to be ciphered, written cLS cl S6- 
ries {pi,P2> ■■■iPn} of integers pj <G Z#; then a key 
{ki, ^2, /cm} £ M > N, randomly chosen, is used 
to produce a ciphered text or cryptogram {ci,C2, ...,Cjv} 
by combining the key with the plain text in modular 
arithmetic cj := pj + kj mod-B, 1 < j < N. The module 
B is the maximum number of distinct symbols (2 for bi- 
nary, 10 for digits, 27 for letters (English text and blank 
space symbol), etc). 

Both the sender (Alice) and the receiver (Bob) need 
to have the same key of random numbers, so that upon 
reception of the cryptogram, Bob undoes the algorithm 
with that key recovering thereby the original text. 
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Possible repetitions in the source text (to which code- 
breakers resort for decoding) are washed out by the ran- 
dom key. The length of the random sequence must be 
greater than or equal to that of the source text, and must 
not be employed more than once. 18 Shannon showed that 
if the key length is smaller than the text length and one 
reuscs cyclically the key to encrypt the message, then it 
is possible to extract information from the encoded text 
(Shannon. 1949). These requirements make this procc- 
dure very burdensome when there are lots of information 
to encrypt. Moreover, it is not easy to have long series 
of really random numbers at our disposal. 

This cipher system was used by German and Russian 
diplomats during the Second World War, and by the so- 
viet espionage during the cold war (Hughes et al., 1995). 
It is popularly known as "one-time pad" because the keys 
were written on a notebook or pad, and each time one 
was used, the corresponding sheet with the key was torn 
off and destroyed. It is said that the continued use of 
the same key allowed to unmask the Rosenberg spy ring 
and the atom-spy Fuchs (Hughes et al., 1995). It was 
also used by Che Guevara to communicate secretly with 
Fidel Castro from Bolivià (Bennett, Brassard and Ek- 
crt,1992). And it is routincly used for Whitc Hose and 
Kremlin Communications through the "hot line" . 

Although invulnerable, the VERN AM cryptosystem has 
the shorthcoming of demanding keys so long at least as 
the text to be ciphered. This is why it is only used to 
cipher highly valuablc information. For less delicate or 
sensitive business it is rcplaced by shorter though break- 
able encryptation keys. 

It was precisely the spur for breaking secret messages 
what fostered the development of computers. 

2. PKC System 

The PKC system (Public Key Cryptographic System) is 
of great interest since it avoids some of the shorthcomings 
of the VERNAM system. It was devised in the middle of 
the 70s by Diffic and Hcllman at Stanford (Diffie and 
Hellman, 1976; Diffie, 1992; Hellman, 1979) and later 
implemented at MIT by Rivest, Shamir and Adleman 
(1978). 19 This system is nowadays used worldwide, for 
instance in Internet. 

Two keys arc involved: one person X gives away a púb- 
lic key, which anybody can use, and he/she keeps secret a 
private key, which is the inverse of the former. The púb- 
lic key is used by any sender S to send coded messages 



18 If two binary cryptograms encoded with the same key are in- 
tercepted, their sum modulo 2 eliminates the key and makes it 
possible to decrypt messages with certain ease (Collings, 1992). 

19 Apparently, some years beforc Diffie and Hellman, the British 
Secret Service knew about this system, but as classified record (mil- 
itary secret) (Ellis, 1970; Ekert, Hayden and Inamori, 2000). 



to X; on reccipt, X decodes them with the private key. 
It is pretty clear that this is of interest only if X alonc, 
but nobody else, knows how to undo the coding at a rea- 
sonable cost. How can we get this done? In a subtle and 
cunning way: to encrypt messages, the PKC system uses 
trapdoor one-way functions. These are injective maps of 
complexity P, i.e., (computationally) tractable functions, 
the inverses of which are untractable in practico, that is, 
high costly to evaluate unless additional information is 
supplicd (NP problem). See Appendix for details. In- 
teger factorization stands out among this type of inverse 
functions, as well as discrete logarithms in finitc fields 
and on elliptic curves (Koblitz, 1994; Welsh, 1995). 

The PKC system affords to leave wide open both the en- 
cryptation algorithm and "half" of the total key, namely 
the públic key, without suffcring from any extra inse- 
curity; this contrasts sharply with the controversial DES 
system (Data Encryption Standard) , which discloses only 
the algorithm, but whose vulnerability has been shown 
up (Electronic Frontier Foundation, 1998). 

3. RSA System 

One of the most interesting ways of implcmcnting the 
PKC system is the RSA method of Rivest, Shamir, and 
Adleman, 1978, based on the extreme difficulty of factor- 
ing large integer numbers. In particular, it is used to pro- 
tect the electrònic bank accounts (for instance, against 
bank transfers electronically xxrequested) . The públic 
key of X consists of a pair of integers (N(X), c(X)), the 
first one very big, say of 200-300 digits, and the other one 
in the interval (1, ip(N(X))) and coprime to <p(N(X)), 
wherc (p is Eulcr's totient function (f(n) is the number of 
coprimes to n in the interval [0,n)). Upon transforming 
the sender S his/her message M into an integer follow- 
ing some públic bijective prescription which both sender 
and receiver have agreed upon, he/she partitions it into 
blocks Bj < N(X) as lengthy as possible, encodes each 
block B as 

B i ► C(B) = B c(x) modN(X), (49) 

and sends the sequence of cryptograms {C(Bj)} to X. 
Let us denote this coding operation as M i— > Px(M), 
with the symbol Px mcaning that it was done with the 
públic key c(X) of X. The receiver X decodes each C(B) 
as 

C(B) i ► B = C(B) d{x) modiV(X), (50) 

where the exponent d(X) for decoding is the private key, 
which is nothing but a solution to 

c(X)d(X) = lmoàíp(N(X)). (51) 

That solution is (Koblitz, 1994) 

d(X) = c (X)^v>mx)))-i mod <p(N(X)). (52) 
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We shall indicatc thc dccoding as Px(M) i— > 
Sx(Px(M)) = M, where the symbol S x refers to thc 
secret key of X. 

In principle, since c(X) and N(X) are known, anybody 
can compute d(X), and hence break up the secret. But 
it is here where the shrewdness of X enters the stage. In 
order to make it extremely difficult to Evc (spy charactcr 
that intercepts messages, and listcns to them without 
pcrmission before delivering thcm again), it is better that 
X abides by certain rules (Salomaa, 1996), among which 
we highlight the following: 

1. He/she must choose N(X) as the product pi,P2 of 
two largc and random prime numbers (with at lcast 
one hundred digits each), not very close one an- 
other (for this it is enough that the lengths of their 
expressions differ in a few bits), and avoiding also 
that they bc tabulatcd or havc some special form. 
Algorithms for testing primality like the probabilis- 
tic algorithm of Miller-Rabin (Miller, 1980; Ra- 
bin, 1976), or the deterministic APRCL, discov- 
ered by Adleman, Pomerance, and Rumely (1983), 
and latcr simplificd and improvcd by Lenstra and 
Cohen (Cohen and Lenstra 1984; Cohen, 1993) fa- 
cilitate enormously the election of P\,P2- 

2. As X knows pi,P2, he/she knows how to compute 
<p(N(X)), namely, <p(N(X)) = (pi - l)(p 2 - 1). 
Now X has to choose an integer d(X) (the pri- 
vate key) randomly in the interval (l,<p(N(X))), 
coprimc to (p(N(X)), and then compute the públic 
key c(X) by means of 

c{X) = dWPbWW- 1 modcp(N(X)), (53) 

or, much better, by solving c(X)d(X) = 1 mod 
ip(N(X)) with the classical Euclid's algorithm. 

One should discard small private keys d(X), in or- 
der to avoid their disclosure by plain trial and error. 
That is why it is convenient to start by fixing d{X). 
It is not advisable to have c(X) very small either, 
for then the interception of the same message sent 
to several addressees sharing the same públic key 
could lcad to its break- up without much cffort. 

Anybody knowing only N(X) but not its factors, 
should "apparently" factorize first N(X) to compute 
ip(N(X)), and hence to find out the exponent for decod- 
ing; 20 but factorization of a number 250 digits long would 
take about 10 million ycars on a 200 MIPS 21 workstation 
with the best algorithm known nowadays (Hughes, 1997). 



20 "Apparently" , for it is unknown so far whether there exist al- 
ternative procedures to decode C(B) which do not go through get- 
ting the inverse exponent, nor whether the computation of this one 
necessarily requires to know the prime factors of N. 

21 Million of instructions per second; it gives a general idea of a 
computer's speed, but only refers to CPU speed (real speed depends 
also on other factors like input/output speed). 



The RSA system also allows digital authentication of 
messages, as well as appending to them an electrònic or 
digital signature (van der Lubbc, 1998; Koblitz, 1994; 
Stinson, 1995; Welsh, 1995). 

a. The RSA numbers. 

In 1977 Martin Gardner published an encoded message 
in his Mathematical Games of Scicntific American us- 
ing the RSA method, with the promise of a $ 100 reward 
(payable by the Rivest et al. group at MIT) for the first 
person who would decode it (Gardner, 1977): 

96869613754622061477140922254355882905759991124 
57431987469512093081629822514570835693147662288 
3989628013391990551829945157815154 

This cryptomcssagc had been obtaincd using the RSA 
method starting from an English sentence and the dic- 
tionary U (blank space) i— > 00, a i— > 01, ,..,zh 26), and 
using as públic key (RSA-129,9007), where RSA-129 was 
the following number 129 digits long: 

RSA-129 = 114381625757888867669235779976146612 
01021829672124236256256184293570693524573389783 
0597123563958705058989075147599290026879543541 

Decoding this message required to factorize RSA-129 
into two prime factors of 64 and 65 digits each. It was 
estimated by then that the time to reach that goal would 
be about 4 x 10 16 years, at least. In 1994 new factoriza- 
tion algorithms 22 and the combined effort in idle time of 
a cluster of about a thousand workstations on the Inter- 
net did factorize it in about 8 months, after a CPU time 
of 5000 MIPS years, using the quadratic sieve algorithm 
(QS). Thcse factors are 

34905295108476509491478496199038981334177646384 
93387843990820577 x 

32769132993266709549961988190834461413177642967 
992942539798288533 

With this knowledge, it is straightforward to recover 
the original message: the màgic words are squeamish 
ossifrage (Atkins, 1995). 



There exist efficient methods, like those based on the quadratic 
sieve (QS) (Pomerance, 1982; Gerber, 1983; Pomerance, 1996), el- 
liptic curves (EC) (Lenstra, 1987), and the general number field 
sieve (GNFS) (Lenstra, 1993; Pomerance, 1996). Their complcxi- 
ties are subexponential, but superpolynomial: 

QS: O(c (1+o(1)) ^ log N loglog N ) 

EC: 0(e' 1+0< - 1 ^^ 1 ° gp loglogï> ) 

GNFS: 0( c (l-923+ (l))(logJV) 1 /3 {loglogJV) 2/3^ 

where p is the smallest prime factor of N. From 120-130 digits on, 
the number field sieve seems to overcome the other methods. 
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FIG. 5: Factorization with 1000 workstations with in- 
creasing power according to Moore's law starting from 
800 MIPS in 2000. The vertical axis shows the factoriza- 
tion time T a (n), in years, for an integer number of n bits. 
The horizontal axis shows the calendar year. 



Two years later, RSA-130 was broken with the most 
powerful factorization algorithm till datc (the general 
number field sieve (GNFS)), and after a computation 
time almost one order of magnitude lower than that em- 
ployed for RSA-129. In February 1999, the factoriza- 
tion of the next number in the RSA list was over: the 
RSA-140, after about 2000 MPIS-years and the same 
GNFS method. And in August 1999 the factorization 
of RSA- 155 was achieved, also using GNFS and after 
about 8000 MlPS-years. 23 It has 512 bits and is the 
product of two prime numbers 78 digits long. Just to 
figure out the magnitude of this problcm, in its solution 
35.7 CPU years have been employed to do the sieve, dis- 
tributed in about three hundred workstations and PC's, 
and 224 CPU hours of CRAY C916 and 2 Gbytes of cen- 
tral memory in order to find the relations between the 
rows of a giant sparse matrix of 6.7 million rows and as 
many columns, with an average of 62.27 non-vanishing 
elements per row. 

A few years ago, it was considered as very safe the 
usage of 512-bits modules. 24 The preceeding examplc 
shows that the GNFS factorization algorithm renders this 
bit length insufficicnt. Nowdays, the use of (768, 1024, 
2048)-bits modules is recommended for (personal, corpo- 
rative, highly security)-use. In Fig. ||, the estimated fac- 
torization times under the joint use of 1000 workstations 
is represented, assuming that the processing power fol- 
lows the so called Moore 's law (doublmg every 18 months) 
(Hughes, 1997). Sec Sec. VII for more dctails. We take 
the RSA-155 time as reference. 25 



Even though the factorization problem remains as a 
hard problem in computer science, nobody knows for sure 
whcther one day a mathematician may come up with 
a radically new faster algorithm such that the ordinary 
classical computers can cope with the task of factorizing 
large integer numbers in polynomial time. As a matter of 
fact, quantum computation has raised high expectations 
in this regard, wit h Sh or's algorithm (Shor, 1994) to be 
discussed in Sec. X.D. That is why security agencies 



closely follow the new advances in number thcory and 
computation to see what they are up to! 



B. Quantum Cryptography 

Quantum physics provide us with a secure method for 
coding, guaranteed by the very laws of physics. The pio- 
neering idea dates back to Stcphcn Wicsner, who already 
by 1969 26 suggested this possibility, as well as the fab- 
rication of forgery-proof banknotes, quantum banknotes 
(Wiesner, 1983). In the middle '80s Bennett and Bras- 
sard (1984) devised a quantum cryptosystem based on 
the Heisenberg principle, which soon afterwards was im- 
plementcd cxperimcntally by sending secret information 
with polarizcd photons to a distance 30 cm apart (Ben- 
nett et al., 1992). This system cmploys quantum states, 
not all mutually orthogonal, in order to keep them from 
being cloncd by a possible interceptor; as it uses 4 distinct 
states, it is coined the four-state scheme. Using non-local 
quantum correlations in pairs of entanglcd photons (pro- 
duced, for example, by parametric down conversion) was 
subscquently proposcd by Ekert (1991). Within this E91 
system the Bell inequalities (Bell, 1964; 1966; 1987) are 
in charge of kceping the security; hence this system is 
also labeled EPR scheme. For a detailed recent review 
see Gisin et al., 2001. 



1. Counterfeit-safe "quantum" banknotes 

A possible forger-proof banknote could be a banknote 
provided with a printed number and a small colleetion of 
(say twenty) photons trapped indcfmitcly in individual 
celis of perfectly reflecting walls, and with secret polar- 
izations O, O, J, <-> randomly distributed, that the issuing 
bank would keep in secret correspondenec with the iden- 
tification number. The bank therefore could at any mo- 
ment check the legitimacy of the note, without ruining it, 
because it would know beforehand how to place the polar- 
izers to check each photon polarization without destroy- 
ing it. Any forger that attempts to copy a note, however, 



23 We thank A.K. Lenstra and H.tc.Riclc for sharing with us their 
information about the latest RSA's factorizations. 

24 The number of bits in the integer N is [l°g2 -^J + 1- 

25 Miniaturization of classical devices has the atomic/molecular 
scale as a limit, which at Moore law's pace will be reached within 



a couple of dècades. 

26 His work was finally published in 1983, but after being rejected 
from the journal to which it was first submitted. An unpublished 
version appeared in 1970. 
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ignorant of the dircctions in which the photons were po- 
larized, would perturb the initial polarization projecting 
it onto some of two corresponding oricntations of the po- 
larizer chosen to measure with (Wiesner,1983; Bennett, 
1992b). 





FIG. 6: Counterfeit-safe banknotes: the identification 
number is corrclated with the secret polarizations of pho- 
tons trapped in individual celis. 



2. QKD: quantum key distribution 

Although the quantum notes business may look a seer 
fantasy, this is not the case for systems of quantum key 
distribution. Among the communication protocols, we 
may highlight the BB84 of Bennett and Brassard (1984), 
E91 of Ekert (1991), B92 of Bennett (1992a), and EPR 
without Bell's inequalities, due to Bennett, Brassard and 
Mermin (1992). Thesc protocols provide a way for two 
parties to share keys absolutely secret in principle, and 
thus they are an ideal complement to the Vernam code. 

Alice and Bob want to exchange secret information, 
without recourse to middlemen who bring key pads from 
one to the other, and without fear that someone breaks 
their code. To this end, they must share a key, known 
only to them. They proceed according to a given commu- 
nication protocol, or set of instructions either to detect 
any non-authorized eavesdropper, or else to settle down 
the secret key that only they will share for coding and 
decoding. 



a. BB84 Protocol, or four-state scheme. 

This is the first protocol devised in quantum cryptog- 
raphy. Alice and Bob are connected by two channels, one 
quantum and another públic and clàssic. If photons are 
the vehicle carrying the key, the quantum channel is usu- 
ally an optical fiber. The públic channel can also be so, 
but with one difference: in the quantum channel, there 
is in principle only one photon per bit to be transported, 
whilc in the públic channel, in which eavesdropping by 
any non-authorized person does not matter, the intensity 
is hundreds of times bigger. 

Step 1. Alice prepares photons with linear polarizations 
randomly chosen among the angles 0°, 45°, 90° and 135°, 
which she sends "in a row" through the quantum channel, 
whilc kceping a record of the sequence of the prepared 
states, as well as of the associated sequence of Os and 



ls obtained representing by the choiecs of and 45 
degrees, and by 1 otherwise. This sequence of bits is 
clearly random. For instance, denoting by H, V, D and 
A the horizontal, vertical, 45° and 135° polarizations, 
respcctively, and by +, x the polarization basis {H,V}, 
{D,A}, possible Alice's sequences are: 

++++X+XX+X++++XX+XX++XXX++X+++X+XXX+XXX++X+++++X . . . 

VVVHAVAAVAHVHHDDVDDHHAAAVHDHVVDVDADVDAAHVDVHHHVA . . . 
111011111101000010000111100011010101011010100011. . . 

Step 2. Bob has two analyzers, one "rectangular" (+ 
type), the other "diagonal" (x type). Upon receiving 
cach Alice's photon, he decides at random what analyzcr 
to use, and writes down the aleatory sequence of analyz- 
ers used, as well as the result of each measurement. Hc 
also produces a bit sequence associating to the cases 
when the measurement produces a 0°- or 45°-photon, 
and 1 in cases 90° and 135°. With the following analyz- 
ers chosen at random by Bob, a possible result of Bob's 
action on the previous Alice's sequence is 

X+X+XXXX+++X++X+X+XXXX+++++++XXXX+++X+XXXXXX++X+ . . . 

DVAHADAAVVHDHHDHAVDADAHHVHVHVDDADHVVDVAAADADHHDH . . . 
011010111100000011010100101010010011011110100000. . . 

Step 3. Next they communicate each other through the 
públic channel the sequences of polarization basis and 
analyzers cmployed, as well as Bob's failurcs in detec- 
tion, but never the specific states prepared by Alice in 
cach basis nor the resulting states obtained by Bob upon 
measuring. 



Alice to Bob: 
Bob to Alice: 



++++X+XX+X++++XX+XX++XXX++X+++X+XXX. . , 
X+X+XXXX+++X++X+X+XXXX+++++++XXXX++. . 



Step 4- They discard those cases in which Bob deteets no 
photons, and also those cases in which the preparation 
basis used by Alice and the analyzcr type used by Bob 
differ. After this distillation, both are left out with the 
same random subsequence of bits 0, 1, which they will 
adopt as the shared secret key: 

Alice 111011111101000010000111100011010101011010. . . 

++++X+XX+X++++XX+XX++XXX++X+++X+XXX+XXX++X . . . 
Bob X+X+XXXX+++X++X+X+XXXX+++++++XXXX+++X+XXXX . . . 

011010111100000011010100101010010011011110. . . 



Alice -1-01-111-0-000—0- 
Bob -1-01-111-0-000—0- 



-1—10-01-0-0—10-1—0 . 
-1—10-01-0-0—10-1—0 . 



Therefore the distilled key is 1011110000011001001010..., 
and its length is, on average, and assuming no detection 
failures, one half of the length of each initial sequence. 



b. Eavesdropping effects. 

All this holds in the ideal case that there are not eaves- 
droppers, neither noises in the transmission nor defects 
in the production, reception and analysis: the distilled 
keys of Alice and Bob coincide. But let us assume that 
Eve "taps" the quantum channel, and that, having the 
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same equipmcnt as Bob's, analyzes the polarization state 
of each photon, forwarding them next to Bob. Ignoring 
Eve, much like Bob, the state of each photon sent by 
Alice, she will use the wrong analyzer with probability 
1/2. and will replace Alice's photon by another one, so 
that upon mcasurcmcnt Bob will gct Alice's state only 
with probability 3/8, instead of the probability 1/2 in 
absence of eavesdropping. Therefore this intervention of 
Eve induces on each photon a probability of error 1/4. 
Returning to the previous example, let us assume that 
Eve's measurcments on Alice's photons produce the fol- 
lowing results: 

Eve x++x++++x++xxx++++++x+xxxx++xx+x+++x+xxx+x. . . 
DVVAVVVVDVHADAVHVHHHAVAAADHHADHDVVVDHAADVD . . . 

These Eve's states are now those reaching Bob, who 
with his sequence of analyzers will obtain, for instance 

X+X+XXXX+++X++X+X+XXXX+++++++XXXX+++X+XXXXXX++X+ . . . 

DVDVADADHVHAHHDHAHAAAAHHHHHHHDDDAVVVAVADDDAAHHAH. . . 
010110100101000010111100000000001111111000110010. . . 

Proceeding as in step 4: 

Alice 111011111101000010000111100011010101011010. . . 

++++X+XX+X++++XX+XX++XXX++X+++X+XXX+XXX++X . . . 
Bob X+X+XXXX+++X++X+X+XXXX+++++++XXXX+++X+XXXX . . . 

010110100101000010111100000000001111111000. . . 

Alice -1-01-111-0-000—0—1—10-01-0-0—10-1—0. . . 
Bob -1-11-100-0-000—1—1—00-00-0-1—11-1—0. . . 

We see that the coincidcnces in the distilled lists get 
disruptcd: in 1 out of 4 cases, the coincidence disappears. 
Sacrificing for verification a piece of the lists taken at ran- 
dom from the final sequences, Alice and Bob can publicly 
compare them, and their differences will detect the inter- 
vention of Eve. If the lcngth of that checking partial 
sequence is N, the probability that Eve's listening has 
not produced discrepàncies is (3/4)^, and thus negligi- 
ble for N large enough. Therefore, should thcy not find 
any discordance, they can feel safe about the absence of 
eavesdroppers. But that binary string they have made 
públic, they must clearly disregard it and not use it for 
coding. However, in practice both the emitting source, 
as well as the receiving equipment and the transmission 
channel display noisc, which nccessarily spoils, even with 
no snooping Eve, the perfect fit of the bit sequences dis- 
tilled by Alice and Bob. It is necessary thcn to coexist 
with error, whenever this stays under a tolerable limit. In 
these circumstances, Eve will try to behave herself taking 
care that the effects of her listening stay below a certain 
threshold and do not shoot the alarm. 

Cryptanalysts like Eve usually are quite more subtlc 
in their perversity than what the previous simple anal- 
ysis might suggest. Aware as they are of the quantum 
subtlctics, thcy are not satisficd to incohcrcntly tapping 
the quantum channel qubit to qubit; they are quite well 
knowledgeable that the coherent attack to strands of 
qubits, with probes analyzed after the públic exchange of 



information between Alice and Bob, can be much more 
rewarding. To prové the safeness of a protocol such as 
this BB84 under any type of imaginable attack by the 
malicious and cunning Eve is neither a trivial nor unin- 
teresting issue, specially having in mind that other proto- 
cols resorting to quantum laws and considered as uncon- 
ditionally secure have fallen down, as for example the bit 
commitment quantum protocol: Alice sends something 
to Bob under the firm commitment of having chosen a 
bit b that Bob completely ignores, but such that Alice 
can later show it to him when he claims it. Resorting to 
cntanglcd EPR states makes it possible that any party 
of the couple behave dishonestly (that a cheating Alice 
change her commitment at the end without Bob being 
aware, or that a villain Bob gets some information on b 
without any request to Alice) (Mayers, 1996; 1997; Bras- 
sard et al., 1997). 

There èxits a proof of unconditional security of QKD 
through noisy channels and up to any distance, by means 
of a protocol based upon the sharing of EPR pairs 
and their purification, and under the hypothesis that 
both parties (Alice and Bob) have fault-tolerant quan- 
tum computers (Lo and Chau, 1999). Likewise, it is also 
claimed the unconditional security of the BB84 protocol 
(Mayers, 1998). 

c. B92 Protocol. 

Unlike the previous protocol, that uses a system in 
four states, pairwise orthogonal, in this somcwhat sim- 
pler protocol B92 systems in only two non-orthogonal 
states are involved. Its analysis is similar to the previous 
one and shall be skippcd. 

3. EPR Protocols 

In 1991 Ekert, relying on previous ideas of Deutsch, 
proposed an elegant method for secret key distribution, 
where the gencralizcd Bell's inequality is on the watch to 
safeguard the confidentiality in the transmission of pairs 
of spin i partides entanglcd à la EPRB (Deutsch, 1985; 
Ekert, 1991). 

Six months after appearing Ekcrt's work, Bennctt, 
Brassard and Mermin (1992) presented a very simple 
scheme for key distribution that keeps using EPRB states 
in the singlet state (2 _1 / 2 (|01) — 1 10} )) , but does not need 
to invokc Bell's thcorcm to detect Eve's listening. Al- 
ice and Bob measure the spin of their respective subsys- 
tems (halves of EPRB pairs) randomly along Ox or Oz. 
Through a públic channel, they inform each other about 
their sequences of selected observables, but not of the re- 
sults ±i obtained. They discard the cases in which their 
seleetions diffcr. They keep the remainder; the results of 
the latter are evidently anticorrelated. Bob reverses now 
all his outeomes (±i i— > T^), an d then both Alice and 
Bob add i to their results, thereby obtaining the secret 
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key to be shared. Sacrificing as bcfore a piece of the key 
for its públic comparison, they can detect Eve's listening. 

Although it can be shown that this protocol is esscn- 
tially equivalent to the BB84 (Bennett, Brassard and 
Mermin, 1992), it presents a potential bonus (Collins, 
1992): the users (Alice and Bob) could wait for the key 
to show up just when they were about to use it (should 
they know how to kccp the EPR states expectant for a 
whilc betwcen their production and use), removing this 
way the possibility of robbery by Eve of the shared key. 

C. Practical Implementation of QKD 

The BB84 protocol was implemented by the first time 
in the IBM T.J. Watson Research Centcr (1989-1992) 
with polarized photons over 32 cm in air (Brassard, 1989; 
Bennett et al., 1992). In 1995 the B92 protocol was real- 
ized experimentally, also with polarized photons, trans- 
mitted this time through optical fibre 22.8 km long in 
the Swisscom cable connecting the cities of Geneva and 
Nyon under the Leman lake (Muller, Breguet and Gisin, 
1993; Muller, Zbinden and Gisin, 1996). 

The use of photon polarization states for long dis- 
tances has a disadvantage: birefringeney in the non- 
straight parts of the fiber transforms linearly polarized 
states into states of elliptic polarization, with accompa- 
nying losses in transmission, and further produces disper- 
sion of the orthogonal polarization modes. Thcrcby the 
interest in other ways to codify the states, like for exam- 
ple by means of phases instead of polarizations. A group 
from the British Telecom from UK accomplished it (1994) 
with optical fiber over 30 km distance, using interferome- 
try with phase-encoded photons (Marand and Townscnd, 
1995). Thcre arc no major difficultics in rcaching around 
50 km. In 1999 a group from Los Alamos has reached 
48 km using this procedure (Hughes et al., 1996; 1999a; 
1999b). For that reason it can be used to safely connect 
diverse agencies of the Government in Washington. To 
cover distances larger than 100 km would require the use 
of safe repeaters where key material for re-broadeasting 
might be generated. 

With the protocol B92 again, it was possible in 1998 
to quantumly transmit the secret key, at a rate of 5 kHz 
and over 0.5 km in broad daylight and free space, with 
polarized photons (Hughes et al., 1999a; 1999c). With 
this key Alice encrypted a photograph (with 8 bits per 
pixel), which Bob decrypted to reconstruct the primitivc 
imagc, with the results shown in Fig. |^. 

In the near future this procedure can be used to gen- 
erate secret keys, shared by earth-satellite or satcllite- 
satcllite, that allow to protect the confidentiality of the 
transmissions. 

More recently, QKD over 360 m has been achieved us- 
ing variants of E91 and BB84 (Jennewein et al. 1999). 
They used pairs of entangled photons to generate keys at 
a rate 0.4-0.8 kHz with an error bit rate of about 3%. 




FIG. 7: Air view of St. Louis airport (left), encrypted 
imagc with a quantically generated key (center), and de- 
crypted image (right). 

VII. QUANTUM COMPUTATION 

A simple and intuitive way to arrive at the notion of 
quantum computation is through the miniaturization. 27 
This has been the driving force in the modern upgrade of 
ordinary computers. As a matter of fact, the electrònic 
industry of computers grows at the same time as the inte- 
grated circuits decrease in size. This ràpid growth in the 
industry will continue as long as it is possible to include 
more and more circuits in a single chip. However, this 
pace cannot last forever and at some point it will reach 
the limits of the integrated circuits technology. Even if we 
can overcome these teclmological barriers, this trend will 
head us to the quantum realm where the quantum laws of 
physics will impose fundamental limitations on the size of 
the circuit components and on their performance. Thus, 
if the computer industry is to keep growing at the same 
rate, it will require another teclmological revolution. 

Although this may look quite well ahead, it is esti- 
mated that about the year 2020 we shall reach the atòmic 
size for storing one bit. Instead of just waiting for this 
situation to come, some theoretical physicists decided 
to move ahead and started to wonder about the radical 
changes and possible advantages that a computer may 
have if based upon the principies of the quantum me- 
chanics. 

The estimations for reaching the atòmic scale are based 
in a remarkable observation made by Gordon Moore 
(1965), later known as Moore's law, that the number 
of transistors per square inch on integrated circuits had 
doubled every year since the integrated circuit was in- 
vented. Explicitely, the original curve for the density of 
silicon integrated circuits (transistors per square inch) 
was oc 2(' -1962 ) where t is the calendar year. In subse- 
quent years, the trend slowed down a bit, but chip capac- 



27 The famous Feynmann's speech addressing the American Phys- 
ical Society (1959), with his provocative bets on building micro- 
engincs and writing on pin heads, signals the birth of nanotechnol- 

ogy- 
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FIG. 8: Moore's law for processors capacity (number of 
transistors per square inch). 

ity has doubled approximately every 18-24 months, and 
this is the current definition of Moore's law (see Fig. ||). 

VIII. CLASSICAL COMPUTERS 

To pave the way to the concept of quantum comput- 
crs it proves convenient to discuss a classical concept, 
namely, the notion of classical paral·lel computation. To 
properly undcrstand this let us recali first the bàsic prin- 
cipies operating most of the ordinary computers we work 
with as they were introduccd first by Turing in 1936 and 
subsequently developcd by Von Neumann in 1945 (Von 
Neumann, 1945; 1946), among others. 

A. The Turing Machine 

The concept of a Turing Machine (TM) has become 
the foundation of the modern theory of computation and 
computability: the study of what computers can and can- 
not do. Turing arrived at this concept in 1936 (Turing, 
1936) in his quest to answer one of the qüestions posed by 
Hilbert. This was the problem of decidability (Entschei- 
dungsproblcm): Does it exist, at least in principle, a def- 
inite mcthod or process by which all mathematical qües- 
tions can be decided? (Hodgcs, 1992). 

Turing realized that addressing this problem would re- 
quire a precise and compclling definition of what a defi- 
nite methodis, as it appears in the statement of Hilbcrt's 
problem. This is what Turing achieved by analyzing what 
a person does during a methodically process of reasoning. 
His guiding idea was how to translate the human process 
of thought into something purely "mechanical" , and then 
he went on to map that process into a "theoretical ma- 
chine" which would operate on symbols on a paper tape 
according to preciscly defined elementary rulcs. Turing 
also provided convincing arguments that the capabilitics 



of such a machine would be enough to encompass every- 
thing that would amount to a definite method, which in 
modern language is what we call an algorithm. 

We shall see later how Turing answered the question 
of decidability in the negative using his concept of a TM, 
which we should first introduce. 

A Turing Machine is a type of Finite State Ma- 
chine (FSM) which has a finite set of states S = 
{si,s 2 , ■ ■ ■ , s s ; s s +i = s ha it}, a finite alphabet of sym- 
bols A = {a\, ci2, . . . , üa', a-A+i = blank} and a finite set 
of instructions T = 12, ■ ■ ■ , ii}. In addition, it has 
an externa! infinitely long memory tape. This is called a 
(5-state,A-symbol) TM. 

The states Si correspond to the functioning modes of 
the machine and the TM is exactly in one of these states 
at any given time. The symbols in the alphabet serve to 
encode the information processed by the machine: they 
are used to code input/output data and to store the in- 
termediate operations. The instructions arc associatcd to 
the states in S and they teli the machine what action to 
perform if it is currently scanning a certain symbol, and 
what state to go into after performing this action. Thcrc 
is a singlc halt state s na it (or halt, for short) from which 
no instructions emerge, and this halt state is not counted 
in the total number of states. There is also a blank sym- 
bol which serves to separate strings of data coded with 
the rest of the alphabet symbols. 

All these elements (S,A,T) are physically arranged as 
follows. A TM consists of three components: 

The tape, which is a doubly-infinite tape divided into 
distinct sections or celis. Each celi can hold only one 
symbol G A. 

A Read/Write (R/W) head or cursor, which can read or 
write the symbol üí £ A in each tape celi. 
A control unit, which is a device (or box) that controls 
the movements of the R/W head based on the current 
state of the TM and the content of the celi currently 
scanned by the R/W Head, i.e., based on a pair (sj,aj). 

The R/W head is capable of only three actions: 
Write on the tape (or erase from tape) , only the celi being 
scanned. 

Change the internal state. 

Move the head one celi to the left or right. Let us denoto 
this variable as 7 £ {L, R}. 

The behaviour of a TM is governed by the set of in- 
structions T. These are rules which describe the tran- 
sition from an initial pair (state, symbol) to a final pair 
plus the movement of the R/W head. Thus, each instruc- 
tion j G T is a 5-tuplc [(sj, <Zj), (s/, a/; 7)] representing 
the following transition 

I 3 j ■■ (si,ai) 1 — >(s f ,a f ;j). (54) 

A consisteney condition is demanded: no two instructions 
ji , J2 € T have the same initial pair (s^a,). 

In Fig. ^| we plot a schematic picture of a TM. 

An alternative and efncient way to describe a TM is by 
means of a flow or state diagram (see Fig. |ï(|). Here each 
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FIG. 9: A picture showing the components of a Turing 
Machine. The alphabet {1;0} is unary, with denoting 
blank. Stop means that (shait, ■) has no assigned instruc- 
tion. 



state Si £ S is enclosed in a circle, and the instructions 
associated to a couple of states are represented by arrows 
showing also the change of symbols on the tape and the 
hcad movement. 



In Fig. 10 wc show a (2-state,l-symbol) TM. It is cus- 
tomary in this case to use a 1 for the symbol and for the 
blank, i.e., A = {1; 0}. When A = 1 and S = 2 we talk of 
a 2-state TM for brevity. Then, this is a unary machine, 
which should not be confused with a binary system, since 
each number n is represented as a string of n ls on the 
tape, and not by its binary representation. The state set 
is S = {si, S2', halt}. In this simple cxamplc of TM, when 
it is in state si scanning a 1, the machine will move Right 
one celi and stay in state Si (this is the loop in Fig. 10). 
When it is in state si scanning a blank symbol, it will 
change this symbol to a 1 and go to state S2- When it is 
in state S2, it will just move Right and stop. 

(1,1*) 



to remove the leftmost 1 in ni and convert the into a 
1. Then we can use a 2-state TM defined as follows (see 
Fig. [ÏÏ]). When it is in state si and the R/W Head scans 
a 1, there is a transition to state S2, the 1 is replaced by 
and the head moves to the right. Similar ly, there are 
other 3 instructions which we plot in Fig. |l l| in the form 
of a chart tablc of instructions. In this Fig. |11| the input 
is 2 + 2 and the output 4. 



1. Computability 

Despite their simplicity, Turing machines can be de- 
vised to compute remar kably complicated functions. In 
fact, a TM can compute anything that the most power- 
ful ordinary classical computer can compute. Until the 
formulation of Quantum Computing, nonc had yet pro- 
posed a model of computation more powerful than the 
TM. Thus, if we stick to classical machines and we had to 
sol ve problems which a TM cannot solve, it seems that we 
would have to resort to "supermachines" performing in- 
finitely many steps in a finite time or to guess the answcr 
out of the bluc or somcthing similar. The formalization 
of this idea into a proposition was done indepcndently 
by A. Church and A. Turing and goes by the name of 
Church-Turing hypothesis (Church, 1936; Turing, 1936; 
1950; Hodges, 1992). Following Turing, it is stated as: 
Every function that would naturally be regarded as com- 
putable can be computed by some Turing Machine. 

This is a hypothesis because it cannot be proved unless 
we provide a formal definition of what naturally means. 
This hypothesis has not been refuted within the realm 
of classical physics, but we shall see that the notion of 
a Quantum Turing Machine requircs to reformulate the 
Church-Turing thesis. 

As a consequence of the Church-Turing hypothesis, a 
function is called computable when it can be computed 
by a TM, while it is declared a noncomputable function 
other wisc. 
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FIG. 10: An example of flow diagram for a (2-state, 1- 
symbol) Turing Machine as shown in Fig. ^. 

In summary, unless it is in the halt state, this simple 
TM will march rightward as long as it scans ls, and when 
it meets its first blank symbol, it will change this into a 
1 and then it will move Right twice and stop. 

Let us now describe a TM performing a more interest- 
ing task like adding two numbers. This is a Adding TM. 
Suppose we want to sum n\ + ri2- The input data in the 
tape is a string of ri\ ls separated by a from another 
string of 712 ls. The output data in the tape must be 
a string of n\ + n-i ls. To achieve this output, we need 



2. The Universal Turing Machine 

A further crucial concept introduced by Turing is that 
of the Universal Turing Machine (UTM) (Turing, 1936). 
So far we have considered TMs built for a specific pur- 
pose and for that purpose only. The Universal TM allows 
us to run all TMs on a general machine. Thus, a UTM 
is defined as a singlc machine which comprises all Tur- 
ing Machines and is thereforc capablc of computing any 
algorithm. 

Just as an ordinary TM is defined by a set (S,A, T) 
with the instructions in X being described by a 5-tuple 
[(sj, a^, (sf, af, 7)], a UTM is constructed likewise by 
providing a set (S\j , A\j and a description of its in- 
structions [(Si,Ai),(Sf,Af-,r)]. These instructions of a 
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FIG. 11: An example of Adding Turing Machinc: following the sequence of instructions in the Control Unit the 
machine performs 2 + 2 = 4. 



UTM must be general enough to accommodate any pos- 
sible TM. This is accomplished by supplying it with the 
information of a TM and the data of its tape. 

There are several ways to construct explicitly a UTM 
(Hcrkcn, 1995; Feynman, 1996; Minsky, 1967). For sim- 
plicity, let us assumc that the alphabct Au = {ai ~ 
0,íi2 = l;^y} has a binary part corresponding to A. 
This is not a restriction since any alphabet A can be 
mapped onto a binary alphabet. At any given step of 
the functioning of a UTM, the initial pair (Si, Ai) will 
know about the current description of the TM's tape, 
and as it also knows about the set of instructions X, then 
the UTM will output exactly the same data as the TM 
it is simulating. In order to implement this, we need to 
accommodate quite a lot of, but finite, information in 
the UTM's tape. Namely, the input data for the UTM's 
tape is precisely all we need to know about the TM it rc- 
produces: (t; (S,A,T)), where r denotes the TM's tape. 
These elements are disposcd on the UTM's tape consec- 
utively and separated by marks bclonging to A{j. The 
R/W head of the UTM is positioned at the initial celi 
of the string encoding the data pair (sq, ao) of the TM. 
Then the UTM starts working, resorting to its set of in- 
structions 2u- Without going into further details, this 
set contains rules specifying how to bring the R/W head 
to read a pair (sí,cií), changc it to a new pair (s/,a/) 
and frnd the movement 7 of the tape r. This is repeated 
all over until the given TM is fully imitated. 

The number of states S'ü and symbols Atj is variable in 
a UTM. Minsky has constructed one with S'ü = 7, A\j = 
4 (Minsky, 1967). In fact, one can in principle construct 



always a UTM with only Sjj = 2 and finitely many sym- 
bols, or only A\j = 2 and finitely many states. 

The importance of the universal machine is clear. We 
do not need to have an infinity of different machincs doing 
differcnt jobs. A singlo one will sufficc. The cnginecring 
problcm of producing various machines for various jobs is 
replaced by the office work of programming the universal 
machine to do these jobs (Turing, 1948). In summary, a 
TM is comparable to an algorithm much like the UTM 
is to a programmable computer. 

3. Undecidability. The Halting Problem 

With the aid of a TM, Turing was able to answer the 
problem of decidability. This can be rephrased in terms 
of TMs: is it possible to compute any function by de- 
signing an appropriate TM? Turing showed that this is 
not possible because the set of possible functions is much 
larger that the set of possible TMs. In fact, the set of 
TMs is dcnumerable (and so is the set of inputs). This 
is because any TM can be encoded into a finite binary 
string. However, it is possible to find sets of functions 
which arc uncountable. Turing provided one such exam- 
ple due to Cantor: the set T of all functions / : N — > N. 
Cantor had shown fifty years earlier, with his dilemma of 
diagonalization, that this set T was not countable. The 
proof is simple, by reductio ad absurdum: assumc T is 
dcnumerable, then label each function / £ T with an 
integer: T = {/o, fi, ■ ■ ■ , f n ■ ■ •}• Next construct a func- 
tion g : N -> N by defining g(k) := f k (k) + 1, Vfc. This 
function g is new, it is not contained in the initial set 
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T since it differs for at least one value of the argument 
from each function in T . Thus, the set T is not complete. 
Contradiction. 

Tiris analysis implies that there must be noncom- 
putable functions. Turing provided the first explicit ex- 
ample known as the halting problem: is it possible to de- 
sign a TM H which telis us whcther any TM will halt or 
not, when executing its procedure for any input? Turing 
showed that there does not exist such a TM H (Turing, 
1936), in other words, the halting decision problem is 
undecidable, or equivalently, the predicate ({0, l}-valued 
function) h : N x N 3 (i, j) i-> 1 if the i-th TM T* will 
halt for input j, h : i— > otherwise, is noncom- 
putable. 28 In fact, suppose that the contrary holds, i.e. 
that there exists H which computes h, and define a func- 
tion h : x h- > 1 if h(x, x) = 0, h(x) being undcfincd 
otherwise. 29 The function h is computable by a TM H 
obtained from H just by replacing by 1 when H halts 
and outputs 0, and by entering an endless loop when 
H is rcady to halt with output 1. Lct H = T^jjy, if 
h(i(H),i(H)) = 1, thcn h(i_(H),i(H)) = and thus H 
should not halt for input i (H). Contradiction. Similarly, 
if h(i(H),i(H)) is not defined, then h(i(H),i(H)) = 1 
and thus H should halt for input i(H). Contradiction 
again. Therefore H cannot exist. 

Another example was provided by T. Rado (1962) with 
the so called Rado's S-function: assume that the TM has 
5 states, A = 1 symbols and the input data is a tape 
completely blank. Then, X(5) is defined as the maxi- 
mum number of ls left on the tape after this 5-state TM 
halts. This type of TM is now known as the busy-beaver 
problem. Busy beavers TMs arc difficult to find for two 
reasons (Shallit, 1998): firstly, the search space is ex- 
tremely large - there are [4(5 + 1)] 2S TMs with 5 states 
(for each non- halting state there are two transitions out, 
so the total of transitions is 25, and each transition has 2 
possibilitics for the symbol being written, 2 possibilitics 
for the direction to move 7 = L,R, and 5+1 possibili- 
ties for what state to go to - including the halting state). 
Secondly, due to the halting problem, it is in general not 
possible to determine whether a particular TM will halt. 
We have to content ourselves with finding busy beavers 
for small 5 by a brute-force approach. In Table || we 
show the current status of this search. Another Rado's 
function S'(5) appears which is the maximum number 
of moves performed by the TM beforc halting. Clcarly, 
S'(5) > S(5). 

In Fig. |l2j we plot an explicit flow diagram of a 3-state 
busy beaver (Shallit, 1998). When this TM starts with 
input data a completely blank tape, it executes 13 moves 
and writes six ls. Thus, S(3) > 6 and S'(3) > 13. Lin 



28 Any form of input /output can be encoded into nonnegative 
integers (Salomaa, 1989). 

29 Noto that the same integer x singles out here both a TM and 
an input. 
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E(5) 


E'(5) 


1 


1 


l a 


2 


4 


6 a 


3 


() 


21 a 


4 


13 


107 b 


5 


> 4098 


> 47 176 870 c 



a (Lin and Rado, 1965). b (Brady, 1983). c (Marxen 
and Buntrock, 1990). 

TABLE II: This is a table of busy-beaver TMs for small 5 
number of states. For 5 = 6, S(6) > 95 524 079, S'(6) > 
8 690 333 381690 951 (Marxen, 1997). 

and Rado showed (1965) that for 5 = 3 the S(3) lower 
bound yiclds in fact the correct solution. From 5 = 5 on, 
only lower bounds are known. For example, S(8) > 10 44 
(Rozcnberg and Salomaa, 1994). 
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FIG. 12: A 3-state busy-beaver Turing Machine. 

The proof that S(5) is a noncomputable function goes 
by reductio ad absurdum. Onc shows that S(5) grows 
with 5 faster than any computable function, i.e. if F(S) 
is an arbitrary computable function, thcn there exists Sq 
such that S(5) > F(S) for 5 > 5 (Shallit, 1998). As a 
byproduct, S'(5) is not computable either. 

4. Other Types of Turing Machines 

The TMs considered so far are deterministic: the in- 
structions i e 1 follow the transition rules in (|54|). It 
is possible to design other TMs called nondeterminis- 
tic Turing machine (NDTM) for which, given an initial 
pair (sj, üí), there exists a bunch of possible final triplcts 
(Yan, 2000). This means that the transition mapping 
([54|) in no longer a function, but a relation given by 

(5, A) — > Subscts(5, A; 7) (55) 

where Subsets(5, A; 7) denote all possible subsets of the 
Cartesian product S x A x 7. A probabilistic Turing Ma- 
chine (PTM) is a type of nondeterministic Turing ma- 
chine with some distinguished states called coin-tossing 
states. When the machine goes into one of these coin- 
tossing states, the control unit chooses between two pos- 
sible legal next triplets in S x A x 7. The computation of 
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a probabilistic TM is deterministic except that in coin- 
tossing states the machine tosses an unbiased coin to de- 
cide between two possible legal next moves. The class of 
NDTMs is morè powerful than the class of deterministic 
Turing machines in the sense that anything computable 
with a TM is also computable with a NDTM and usually 
fastcr. A nondctcrministic TM is closer to the idea of a 
Quantum Computer, but still it is far from one of them 
as we shall see in Sec. 



IX. 



The Turing Machines introduced so far are irreversible: 
given the output of a computation we cannot generally 
reconstruct the input data. A reversible TM is one for 
which the input determines the output and conversely, 
the output determines the input. More explicitely, to 
cach Turing machine M we can associate a directed con- 
figuration graph T(M): each node of the graph is a pos- 
sible configuration C G S x A, and two nodes C, C are 
arc-connected when there is some instruccion i G T of M 
bringing C to C in a single computation step. 

Reversible Turing Machine: A Turing machine M is 
reversible iff its graph of configurations T(M) has only 
nodes with indegree and outdegree 30 < 1. 

We know that a non-reversible Turing machine has out- 
degrees < 1. It is apparent that demanding indegrees 
< 1 implics that M can be executed in reverse determin- 
istically, since every configuration has only one possible 
predecessor. 

Lecerf (1963) and independently Bcnnett showed 
(1973) that an irreversible Turing machine can be simu- 
lated with a reversible Turing machine, at the expense of 
extra computer space and timc. This is a remarkable fact 
for quantum computing since a quantum Turing machine 
must be reversible (see Sec. |ÏX| ). 

Not only Turing devised a theoretical computer, but he 
also pursued the practical construction of one of them. 
At the end of the war Turing was invited by the National 
Physical Laboratory (NPL) in London to design a com- 
puter. His report proposing the Automatic Computing 
Engine (ACE) was submitted in March 1946. Turing's 
design was at that point an original detailed design and 
prospectus for a computer in the modern sense. The size 
of storage he planned for the ACE was regarded by most 
who considered the report as hopelessly over-ambitious 
and there were delays in the project being approved. In 
the long run, the NPL design made no advance and other 
computer plans at Cambridge and Manchester took the 
lead. One year earlier von Neumann had pushcd forward 
another project for constructing a computer machine. 



B. The von Neumann Machine 

The foundations of von Neumann's work on comput- 
ers were laid down in the "First Draft of a Report on the 
EDVAC," written in the spring of 1945 and distributed 
to the staff of the Moore School of Engineering at the 
University of Pennsylvania (where the EDVAC was orig- 
inally developed) in late June (Aspray, 1990). It pre- 
sented the first written description of the stored-program 
concept and explained how a stored-program computer 
does process information. Von Neumann collaborated 
with Mauchly and Eckcrt on the design for EDVAC. 

We can summarize the functioning of an ordinary com- 
puter by saying one single thing at a time. Von Neumann 
was the first to formalize the principies of a "program- 
registered calculator" based in the sequential execution of 
the programs registered in the memory of the computer. 
This is called a von Neumann machine (VNM). A VNM 
has the following parts which are depicted in Fig. [Ï3| 

Processor. The active part of the computer where the 
information contained in the programs is processed step 
by step. It is in turn divided into three main parts: 

i) Control Unit: The unit which controls all the parts 
of the computer in order to carry out all the operations 
requested by other parts, such as extracting data from 
the memory, executing and interpreting instructions, etc. 

ii) Registers: A very fast memory unit inside the pro- 
cessor which contains that part of the data which is cur- 
rently being processed. 

iii) ALU: The Arithmetic and Logic Unit which is de- 
voted to the real computations such as sums, multipli- 
cations, lògic operations, etc, executed on the data sup- 
plied by the registers or memory upon demand by the 
control unit . 

Memory: The part of the computer devoted to the 
storage of the data and instructions to be processed. It is 
divided into individual celis which are accesible by means 
of a number called address. 

Memory 
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CPU 
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data 
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instructions 
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30 The indegree (outdegree) of a node is the number of incoming 
(outgoing) lines. 



FIG. 13: Von Neumann Machine. 



The functioning of a VNM is eyelic. One of these cy- 
cles contains the following operations: the control unit 
reads one program instruction from the memory, which 
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is executed after being decoded. Dcpcnding on the type 
of instruction, a piece of data can either be read from 
or written in the memory, or an instruction be executed. 
In the next cycle to be performed, the control unit reads 
anothcr program instruction which is precisely next in 
the memory to the one processed in the previous cycle. 

It is the simplicity of this scqucntially opcrating model 
which makes it rather advantageous for many purposes 
bccausc it facilitates the design of machincs and pro- 
grams. 



C. Classical Parallelism 

There are complex problems which demand a very 
large number of operations to be performed as well as 
a large amount of computer resources. Thesc problems 
include imagc processing such as satellite images, me- 
teorological predictions, scientific calculations arising in 
strongly correlatcd many-body systems, computation of 
the hadronic spectrum in QCD (Quantum Chromody- 
namics) on the lattice, real-time calculations in plasma 
physics, turbulencc in fluids, and many more. It was 
noticed soon that an ordinary computer based on the 
VNM architecturc would have a very long way to cope 
with such a type of problems wherc a massive number of 
operations is needed to be done in a very short period of 
time. 

A classical parallel computer is the natural way to ad- 
dress these problems. The idea of parallelism is also sim- 
ply summarizcd as many things at a time. We shall sec 
that a quantum computer would realize this goal at the 
highest possible degree of parallelism. 

Although the idea of parallelism is very simple to state, 
its practical implementation has faced many obstacles for 
several reasons we shall briefry describe. This will be 
quite illustrative later whcn we refer to the principies of 
quantum computation. 

The way to extend the sequential VNM into a paral- 
lel computer is not unique. The components entering a 
parallel machinc (PM) are already present in the VNM, 
but its number and organization differs. One way to un- 
derstand the various possibilities is by recalling the or- 
ganization of a program in any computer. A program is 
divided into instructions and data. These are its building 
blocks. This distinction means that we may have several 
degrees of parallelism depending on how many instruc- 
tions and/or data the PM handles at a time. This leads 
to a first classification of PM's known as Flynrís classi- 
fication (1966; 1972) which describes in four categories 
how a computer functions without entering the details of 
its architecture: 

i) SISD: Single Instruction stream, Single Data stream. 
Executes one instruction at a time (single instruction 
stream) and fetches/stores one data value at a time (sin- 
gle data stream). It has only one CPU. Example: the von 
Neumann machine (specifically, processors like Motorola, 
Intel and AMD, ete.Y 



ii) MISD: Múltiple Instruction stream, Single Data 
stream. This corresponds to múltiple programs operat- 
ing on the same data (performing different computations) 
Example: none is available. This category does not seem 
to be useful. 

iii) SIMD: Single Instruction stream, Múltiple Data 
stream. Executes one instruction at a time (single in- 
struction stream) and the same operation is performed 
on many data vàlues at the same time (múltiple data 
stream). Example: The vector machines like Thinking 
Machine's Connection Machine CM-2. A vector opera- 
tion with n elements can be executed by one instruction 
cycle on a SIMD parallel machine. 

iv) MIMD: Múltiple Instructions stream, Múltiple 
Data stream. These are multiprocessor systems, each 
processor executing a different program on its own data. 
Thus, there are múltiple instruction streams (programs) 
and múltiple data streams. Example: most distributed 
memory parallel processors, like Thinking Machine's 
Connection Machine CM-5, Cray T3D, IBM SP-2, work- 
station clusters, fit in this category. 

Of thesc machines, those of type SIMD and MIMD 
arc parallel machincs, the latter having a higher degree 
of parallelism. In Fig. [Ï4| we show a schematic repre- 
sentation of Flynn's classification. Only processors and 
memory units are represented, without going into finer 
details about the interconnection network, types of mem- 
òries (shared, distributed, cached, . . . ), pipelines, etc. 31 



Data Streams 



Single 



Múltiple 



Single 



Instruction 
Streams 



Múltiple 



H H H 



Ljl·Lp-LZ] 



FIG. 14: Flynn's classification of parallel machines (P = 
processor, M = memory). 

One may think at first glance that what counts in a 
PM is simply the number of processors. However, what 
really matters is the way the many processors are orga- 
nized and how the information is exchanged among them. 
The reason is because for two processors to intercommu- 



31 Flynn's classification is too coarse for classifying multiprocessor 
systems, and there exist modifications to it (Hwang and Briggs, 
1985) and new ones as well like Handler's classification (1982) and 
others. 
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nicate, it is necessary that they be synchronizcd and con- 
sequently, they have to wait each other. Thus, this slows 
the functioning of a PM if only the number of processors 
is increased without taking care of their organization. 

Therefore, we arrive at the conclusion that to scale up 
a PM one has to multiply the number of processors and 
to find out as wcll intcrconnecting structures for them. 
These structures or networks need be regular, cfficicnt 
and low cost. The determination of the best intercon- 
necting network for the processors in a PM is specially 
crucial when their number increases considerably. 

For an interconnccting network (or lattice) to be good 
it has to minimize at the same time the total number of 
physical connections (or links) and the average distance 
between processors. This average distance is measured 
in terms of the number of connections to be traversed. 
Furthcrmore, the network has to be regular enough to 
allow bcing scalable when more processors are added. 

In order to understand these requirements let us enu- 
merate and analyze some archetypical networks. 

Fully connected lattice: This is one extreme case which 
is made up of, say, N processors in such a way that all 
of them are connected one another, as shown in Fig. |ï^. 
The number of connections is ^N(N — 1), and thus it 
is of order 0(N 2 ). This fact makes it non-practical be- 
cause there are other more economical alternatives for 
connections. 





a) b) 
FIG. 15: Ring vs. fully connected processor lattices. 



Ring lattice: The network of processors forms a ring 
(see Fig. |ïl|), which has the advantage of needing only 
two connections per processors, no matter their number. 
It this sense it is opposite of the full lattice. However, it 
has a very important disadvantage, because in the worst 
case a message has to traverse N/2 processors (half of 
the lattice) to reach its destiny. This is also non-practical 
when TV is large. 

Binary Tree: The processors are organized such that 
each node is connected to three nodes, namely, one parent 
and two children (Fig. [^). The problem with this type 
of lattice is that the inner nodes deep inside the tree are 
very badly communicatcd among themselves. 

Hypercube: This is the solution that has turned to be 
optimal in meeting the desired requirements (Fig. |Ï7j ). In 
the simplest possibility, one processor is installed at each 
vèrtex of the cube, which can be of any dimension D. 
In the familiar case of a D = 3 cube, each processor is 
connected to othcr 3 and more importantly, each one is 
at a maximum distance of 3 connections from any other. 
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FIG. 16: Binary tree processor lattice. 



For a D-dimcnsional hypercube the number of processors 
is 2 D , each one is connected to D neighbor processors and 
is at most a distance D apart from any other. The most 
famous PM based on this hypercube architecture is the 
original Conncction Machine and the Crays. It is not 
surprising that Feynman, who played a paramount role 
in the beginning of quantum computers, worked in the 
design of this PM and made some notorious contributions 
(Hillis, 1998). 

4D 

1D 2D 3D 




FIG. 17: Hypercube networks. 



The interconnccting networks of processors considered 
so far are called static because the structure is fixed by 
construction. There exists also the possibility of dy- 
namic networks where its configuration is changeable. In 
this case the processors are connected not directly but 
through commuters which can be switched in diffcrent 
ways. 

One of the fundamcntal problems poscd by the parallcl 
computers is its control. There are also several strategies 
to address this issue. One possibility is to have a central 
processor working as a control unit for the rest of pro- 
cessors, as in the SIMD. This is a model of centralized 
control in which the control unit sends instructions to the 
other processors which never interfere the central proces- 
sor. In order to simplify their working, it is normal that 
the same instruction is sent to all the processors which 
in turn operate on diffcrent sets of data. This mode of 
control has the same disadvantages as the original VNM: 
it is slow. The reason is because the control unit has to 
send many electrical pulses to perform the control task. 

An alternative to centralized control consists in allow- 
ing each processor to take its own decisions, usually Con- 
sulting only its nearest-neighbor processors. This solu- 
tion has also difficultics because the programs must be 
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written in a way very difïercnt from thc Standard. Morc- 
over, such non-centralized control can become very inef- 
ficient because the proccssors might spcnd most of their 
time exchanging messages rather than making computa- 
tions. 

The problem of organizing and controlling the paral- 
lclism in a classical computcr resemblcs very much the 
organization problems in the human societies, which is 
as open a problem thcrc as for networks of computers. 
We shall see in Sec. IX that in a quantum computer one 
also faces similar synchronization problems and we shall 
discuss how they are solved in terms of physical princi- 
pies. 



D. Classical Logic Gates and Circuits 

A Turing machine is by no means a practical computer, 
despite of being a powerful theoretical machine. In prac- 
tice, computers are made of electrònic circuits, which in 
turn contain lògic gates. A lògic gate is a device that 
implements a classical lògic operator like the AND op- 
erator. A lògic operator or function / is an application 
/ : {0, 1}™ i — ► {0, l} m , which maps an input of n bit- 
valued operands into a m-bit-valued output. When the 
target space of / is {0, 1}, one usually says that / is a 
Boolean operator or function. A Boolean àlgebra is a uni- 
tal àlgebra defined over the field Z2 = {0, 1}. Boolean 
algcbras are useful to clucidate situations which can be 
true or false, making appropriate reasonings to draw con- 
clusions correctly. They are therefore helpful in building 
practical computers and in programming. Furthermore, 
it is possible to show that classical Turing machines are 
equivalent to classical lògic circuits. This means that 
they both have the same complcxity classes. This is a 
mathematical result that legitimates the use of electrònic 
circuits in the construction of real computers. 

Before stating this important result as a theorem, let 
us take a closer look at some rudiments of Boolean lògic 
that will also help in understanding the peculiarities of 
quantum lògic gates (see Sec. IX). 

An operator with one operand is callcd a unary op- 
erator, with two operands is a binary operator. Thcrc 
are three bàsic Boolean or lògic opcrators: 1/ Thc unary 
operator NOT: x 1— > NOT x := x := 1 — x, denoted 
also by overlining the argument (~). 2/ The binary 
operator AND: (x, y) 1— > x AND y := x A y := xy, 
also denoted by A. 3/ And the binary operator OR, 
(x, y) 1— > x OR y := x V y := x + y — xy, denoted also by 
V. As usual, Boolean arithmetics is done in the field Z2: 
1 + 1 = 0. 

The action of a lògic operator is represented by a truth 
table. A truth table contains as many columns as input 



operands and ouput bits, and 2# operands rows. The in- 
puts are shown on the left, and the output is shown on 
the right. The truth tables for the bàsic operators are 
shown in Table III. An important Boolean expression 
involving 2 variables x,y is r = {x A y) V (x A y), i.c. 
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TABLE III: Truth tables for the bàsic lògic operators: 
NOT (-), AND (A), OR (V). 

r(x,y) = x + y. 32 Expressions in the Boolean àlgebra 
can be represented by lògic circuits. A lògic circuit is a 
directed aeyelic graph with incoming lines carrying in- 
put Boolean variables x\ 1 X2, ■ ■ ■ , x n and an outgoing line 
carrying the output variable y of the circuit. Every node 
in the graph is a lògic gate which represents a lògic oper- 
ator of the Boolean àlgebra. In real computers, circuits 
consist of electrònic devices such as switches and wires. 

To each lògic operator we can associate a lògic gate 
with a specific form. That lògic gate has a number of 
incoming lines, one per input operand, and one outgoing 
line for the output result. In Fig. [ï^ we show the con- 
vention for the bàsic lògic gates. In thc same way as the 
bàsic operators of the àlgebra make up more complicated 
expressions, the bàsic gates are combined to construct 
complex circuits. 
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FIG. 18: Basic classical lògic gates. 



Additional gates that duplicate the input vàlues on 
wires are frequcntly needed. These are callcd FANOUT 
or COPY gates and they arc schcmatically represented 
by — •< (see Fig. |ï^). In classical computation, these 
are sort of obvious gates for they simply correspond to 
splitting the wire into two or more leads, which is an 
easy operation. This is why they are usually taken for 
granted throughout classical computing. Nevertheless, 
these irreversible FANOUT gates arc logically necessary 
when discussing the important issue of universality of 
classical gates. On the contrary, these duplicating gates 
find no room in the insides of a quantum circuit due to 
thc l ine arity of quantum mechanics (no-cloning theorem, 
Sec. 



III) 



A Boolean circuit computes a Boolean function in a 
natural way by following its directed path (usually from 



32 This r corresponds to thc XOR operation. 
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FIG. 19: A classical lògic circuit: addcr for two bits 
x,y. The bifurcating wires at the nodes are achieved 
with FANOUT gates. 



So far we have introduced a set of three bàsic lògic 
operators (NOT, AND. OR). It proves also convenient 
to introduce three additional new gates: NAND, NOR 
and XOR. The gates NAND and NOR are the negation 
of AND and OR, respectively. The gate XOR is called 
exclusive OR, and is also denoted by ®. Their truth 
tables are shown in Table IV. 
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TABLE IV: Truth tables for the lògic operators NAND, 
NOR, XOR. 



left to right) upon application of its constituent gates. 
The size of a circuit C is its number of gates, and the 
depth of C is the length of the longcst directed path in 
it. A typical circuit is depicted in Fig. [ïí]. 

Supposc that we are given a tractable decision prob- 
lem, i.e. a problem in class P (see Appendix). This 
means that there exists a Turing machine M deciding it 
(M(x n ) = 0, 1) for initial data x„ of arbitrary length n, 
in polynomial time. This problem is said to have poly- 
nomial circuits when there is a family {C\, . . . , C n , . . .} 
of lògic circuits, of polynomial size in the input length n, 
such that M(x n ) = 0, 1 iff C n (x n ) = 0, 1. 

It can be shown that all problems in class P have poly- 
nomial circuits. The converse, however, is not true: there 
exist undecidable decision problems that have polyno- 
mial circuits (Papadimitriou, 1994). This shorteoming is 
remedied by restricting the circuit family to be a uniform 
circuit family: for each n, the description of cach C n is 
an output of an auxiliary Turing machine in polynomial 
time when entered with an appropriate input of length 
n. 33 

The equivalence between classical Turing machines and 
Boolean lògic circuits is stated in the following theo- 
rem (Savage, 1972; Schnorr, 1976; Pippenger and Fisher, 
1979; Papadimitriou, 1994): 

Turing machines and uniform circuit famílies: A deci- 
sion problem is in class P, i.e. it can be solved for inputs 
of length n by a Turing machine in polynomial time p(n) , 
iff it has a uniform family of polynomial circuits. More- 
over, the minimum size of C n is 0(p(n) logp(n)). 

This theorem legitimates the simulation of Turing ma- 
chines by lògic circuits. Dcaling with gates and circuits is 
simpler and more practical than with Turing machines. 
Actually, gates are packaged into hardware chips. 



33 Actually the auxiliary TM should be (log n)-space bounded, 
what implies polynomial time boundedncss. 



With the bàsic set {NOT, AND, OR} onc can built 
any lògic function over the Boolean àlgebra, provided 
that FANOUT gates and ancilla or work bits are freely 
used. Because of this property, {NOT, AND, OR} is 
called a universal set of lògic gates. However, this set is 
not minimal. To see this we use the so called de Morgan's 
laws, which are the following Boolean identities: 



V y) = x A y, 

(56) 

(x A y) = xV y. 

These two algebraic equations are dual ea ch other. Nega- 
tion of the first produces x V y = (x A y) . This is tclling 
us is that OR gates are not essential: the AND and 
NOT gates can by themselves reproduce the function- 
ality of the OR gate. Similarl y, the second relation in 
d56| ) lcads to (x A y) — (x V y), that is, AND gates can 
be implemented with OR and NOT gates. Then the set 
{AND, NOT} is universal, and so is the set {OR, NOT}. 

Can we reduce further the number of elements in a 
universal set? The answer is yes. The surprising result is 
that NAND gates alonc (or, similarly, NOR gates alonc) 
are sufHcicnt for constructing any circuit (up to FANOUT 
and work bits). We know this from the following simple 
laws: 

x = 1 NAND x, 

(57) 

x A y = (x NAND y) = 1 NAND (x NAND y). 

Therefore we see that {NAND} (or {NOR}) can do 
everything that the set {AND, NOT} does, and hence 
{NAND}, {NOR} are also universal sets. 

IX. PRINCIPLES OF QUANTUM COMPUTATION 

In the previous section we have described some bàsic 
aspeets of Turing machines and their practical implcmcn- 
tations by means of the Von Neumann architccturc. Yet, 
there is a long way from there towards the construction of 
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a real computer as those we have on our desks. In Fig. |2(J 
we provide a visualization of the route we have to follow. 
This long route starts with the abstract notion of a clas- 
sical computer embodied in a Turing machine. No real 
computer has a Turing machine inside. Instead, the oper- 
ations carried out by a Turing machine can be substituted 
by lògic gates. These lògic gates can do sums, multipli- 
cations, lògic operations, etc. With just a few lògic gates 
we can do almost nothing of the daily tasks we are used 
to nowadays. To get the power and speed of an ordinary 
computer we need millions of lògic gates interconnected 
and integrated into tiny circuits. These are called inte- 
grated circuits or chips. Finally, these integrated circuits 
are arranged into the computer motherboard with other 
components, and along with a screen, keyboard, mouse, 
etc. we have a universal machine capable of doing many 
tasks, like writing this article. 



ImïntF Madiine 



i i i. n t .i- 




FIG. 20: From a Turing machine to a real computer. 

All these four stages in Fig. ^ have been accomplished 
in the case of the classical computers. What is the cur- 
rent state of the art in the case of quantum computers? 
The first step in Fig. ^0] has also been achicv ed for quan- 
tum computers. This is the tòpic of Subscc. IX. A where 
we discuss the notion of quantum Turing machincs, the 
quantum version of the classical Turing machincs intro- 
duced thus far. Moreover, the second step regarding the 



design of quantum lògic gate s has a lso been accomplished 
as we shall explain in Subsec. IX. B. These quantum gates 
are used as the bàsic components of a quantum computer 
to design quantum algorithms that surpass certain very 
important classical algorithms (see Sec. |x|). More impor- 
tant is the fact that, in the recent years, an experimental 
realization of these quantum gates have been made (see 
Sec. XI), which lct us cherish the possibility of building a 
real operativc quantum computer on equal footing as the 
current classical precursors. However, to achieve this goal 
we need to move more steps farther like finding the quan- 
tum equivalent of an integrated circuit (third step). This 
step amounts to the problcm of sealability in a quantum 
computer: so far, the experimental realization mentioned 
previously are made of a just a few gates and although 
a quantum gate is more powerful than a classical one, 
we also need a large number of them to make non-trivial 
tasks. We need to scale up our current quantum tcchnol- 
ogy. Finally, the last fourth step will be to have a real 
operative quantum computer in our hands, with all the 
external devices to communicatc with it. Although there 
is still a long way ahead to achieve this goal, the fact 
that the fundamcntal first and second steps have been 
already done is very encouraging. In the following we 
shall describe these two steps for quantum computers. 

From a fundamcntal point of view, a quantum com- 
puter (QC) is a quantum Turing machine (QTM) and 
this is a concept that we shall next define. 



FIG. 21: Pictorical view of a quantum Turing machine: 
there are qubits (Bloch's spheres, Fig. ^) in the tape and 
in the control unit. 



A. The Quantum Turing Machine 

There have been several achievements before arriving 
at the concept of a QTM and it is not our purpose to 
give a full account of all of them, but instead we shall 
mention some of the most representativc constructions or 
machincs. We start mentioning the Benioff's machine, 
which is a model for computation introduced by P. Bc- 
nioff (1980; 1981; 1982). Benioff's goal was to use quan- 
tum mechanical systems to construct reversible Turing 
Machines. His motivation was that the unitary evolution 
of an isolatcd quantum system provides a way to imple- 
ment reversible computations. The issue of reversibility 
had attracted much attention since Bennett (1973) con- 
structed a classical model of reversible computing ma- 
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chine equivalent to a Turing machinc. Landauer (1961) 
had shown that reversible operations dissipate no en- 
ergy, whilc a Turing machine as described in Sec. VIII 
performs irreversible changes during computations. Al- 
though the Benioff's machine is a quantum machine, it 
is not however a quantum computer for it is equivalent 
to a reversible TM. Feynmann (1982) went one step fur- 
ther towards the notion of quantum computer with his 
"universal quantum simulator" or Feynman's machine. 
He proposed to use quantum systems to simulate quan- 
tum mechanics more efnciently than classical computers 
do. 34 He showed (Feynmann, 1985) that classical TMs 
cxponentially slow down when simulating quantum phc- 
nomena while a universal quantum simulator would do 
efnciently the job. However, Feynman's machine is not 
fully a quantum computer in the sense described bclow 
for it docs not let program an arbitrary task. 

Deutsch (1985) gave the final step in the quest of a 
sensible definition of a quantum computer. His starting 
poin t is a c ritique of the Church- Turing hypothesis (see 
Sec. VIII. A) which he considers very vague as compared 
to physical principies such as the gravitational cquiva- 
lence principio. Deutsch's proposes to make more con- 
crete the statement "functions which would naturally bc 
regarded as computable" in Church- Turing hypothesis. 
He identifies such functions as those which can be com- 
puted by a real physical system. This is quite apparent, 
since it is hard to believe that something be naturally 
computable if it cannot bc computed in Naturc. Thus, 
Deutsch goes on to promote the Church- Turing hypothe- 
sis into a physical principio which he states as the Church- 
Turing Principle: Every finitely rcalizablc physical sys- 
tem can be perfectly simulated by a universal model com- 
puting machine operating by finite means. 

The content of this principle is more physical than the 
corresponding hypothesis since it appeals to objective 
concepts such as measurement, physical system, ctc. in- 
stead of the subjective notion of "naturally computable" . 
The "finite means machine" in the Church- Turing prin- 
cipio is more general and replaces the rolc of th e Turin g 
machines in the corresponding hypothesis (Sec. VIII. A ). 

Deutsch follows a natural way to introduce the defi- 
nition of a Quantum Turing Machine (QTM): starting 
from the knowle dge wc have of its classical counterpart 
(see Sec. VIII. A) he replaces some of the classical compo- 
nents of an ordinary TM, like bits, by quantum elements, 
like qubits. 

A Quantum Turing Machine is a Finite State Machinc 
which has three components: a finite processor, an infi- 
nite memory unit (of which only a finite portion is ever 
used) and a cursor. The description of thesc components 
is as follows: 

i) Finite Processor. This is the control unit as in a 



TM but it consists of a finite number P of qubits. Let us 
denote the Hilbert space of these processor states as 



H P := span{<g)i|p, ; ) : pi = 0, 1} Í=0 . 



(58) 



ii) Memory Tape: This has a similar functionality as 
in a TM but it consists of an infinite number of qubits. 35 
Let us denote the Hilbert space of these memory states 
as 



Hm ■= span-fig^m*) : = 0, l}+f 



+ 00 

i— — oo ' 



(59) 



iii) Cursor. This is the interacting component between 
the control unit and the memory tape. Its position is 
seanned by a variable x 6 TIq = and the associated 
Hilbert space is 



Hc '■= span{|x) : x e Z}. 



(60) 



Thercfore, there is a Hilbert space of states associated 
to a QTM which altogether takes the form 



H QC :=H c ®Hp®Hm- 



(61) 



The basis vectors in the Hilbert space TÍqc of the QTM 
arc of the form 



|ar;p;m) := \x;p ,pi, 



,m_i,m ,mi, 



(62) 

and are called the computational basis states. 

We may wonder about the rclationship between the 
defining fcatures of a classical TM (see Sec. VIII. A) and 
those of a QTM. The set of states 5 corresponds to the 
Hilbert space of states Tip in a QTM. The alphabct A is 
just the qubit space C 2 . As for the set of instructions T 
of a TM, we need to specify the way a QTM works. 

A QTM operates in steps of fixed duration T, and 
during each step only the processor and a finite part of 
the memory unit interact via the cursor. We stress that 
a QTM, much like a TM, is a mathematical construc- 
tion; we shall present explicit experimental realizations 
in Sec. |XÍ. 



The set of instructions T of a TM is replaced by the 
unitary time evolution of the quantum states € TÍqc- 
After a number n E N of computational steps, the state 
of the QTM will be transformed into 



|*(nT)> = í/ n |*(0)), 



(63) 



with U a unitary evolution operator, UW = Wll = 1. 
A vàlid quantum program takes a finite number of steps 
n. To cach QTM there is associated a unitary evolution 
operator U to make a certain job or program, much like 
a TM has a unique set of instructions X, and each TM 
makes a certain task. To specify the initial state 1^(0)), 



34 Manin (1980) had already envisaged that the complexity of 
quantum systems surpassed the capabilities of classical computers. Even if ideall y there is a <l ubit P er cell > onl y a finite number of 

them are active during each running of the QTM. 
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we set to zero both the cursor position x = and the 
prepared processor states p = 0. The memory states m 
are prepared allocating the input data and other program 
instructions, conveniently encoded into a finite number of 
qubit strings, with the rest of the memory qubits set to 
|0). The initial state is then 



|*(0)> =^c m |0;0;m), with ^ 



= 1. 



(64) 



The notion of a QTM operating "by finite means" cn- 
tcring the Church-Turing principle means that the ma- 
chine cannot do infinitely many operations at a given 
time nor at arbitrary positions along the memory tape. 
This notion suggests the following constraint on the ma- 
trix elements of the evolution operator of a QTM: 

(x';p'·,m'\U\x;p;m) = [S x > , X+1 U + (p' , m' x ,\p, m x ) 

+ <5 x ',x-ií/"(p / ,m^|p,TO x )] Y[ <5™ x ,, mx . ( 65 ) 

X ! ^X± 1 

In these matrix elements, the infinite product guarantees 
that only a finite number of memory qubits participate 
in a single computational step. Once the qubit at the xth 
cursor position is singled out, the two deltas appearing 
in the brackcts guarantee that the cursor position cannot 
change by more than one unit, either backward, forward 
or both. This operating mode amounts to locality in 
the tape space. We call the parts U ± (p l ,m' x±1 \p,m x ) 
of U forward and backward matrices at x, respectively. 
They represent the operators P X ±\UP X in the computa- 
tional basis, where P x is the projection onto the Hilbcrt 
subspacc of TÍqc consisting of the states with the cur- 
sor at the arth position. Unitarity of U is equivalent to 
C/ ±t [/ =F = 0, C/ +t C/+ + U-^U- = 1. Each unitary oper- 
ator U{U~,U + } defines a QTM. 

As with any other computer, we need a mechanism 
to cause the QTM to halt whcn the computation ends. 
In a quantum machine there is a severe constraint to 
do this because the principies of quantum mechanics do 
not allow us to observe or measure the QTM until it 
terminates. To know when this happens, we may set 
aside one of the qubits of the processor to signal the end. 
Let us choose the first qubit |ço) to aequire the value 
1 when the computation is over while it is during the 
operations. The program does not interact with \qo) until 
when it has reached the end. Thus, the state \qo) can be 
monitored periodically from the outside without affecting 
the operation of a QTM. 

So far we have set up several connections between 
the components of quantum and classical Turing ma- 
chines. Moreover, to complete this comparison, we can 
also think about the relationships concerning their func- 
tioning. Does a quantum TM extend somchow the notion 
of a classical TM? Yes, and this relation turns out to be 
very physical and it will sound familiar to us. Firstly, not 
all classical TMs are closely related to a quantum TM, 
only those reversible classical TM will be, as follows from 



the discussion above. Then, it is possible for a quantum 
TM to reproduce the functioning of a reversible classical 
TM (Deutsch, 1985) if we choose its unitary evolution 
operator to have the following form: 



U {p',m' x±1 \p,m x ) = 

2 [1 ± C(p,m 2 



(66) 



where A, B, C are maps of x Y[-^ ^ 2 ^21 ^2 and 
{ — 1,1}, respectively. 

This form of dynamics guarantees that this particular 
QTM will remain in a computational basis state ( |62| ) at 
the end of each time step. This is precisely the way a 
classical TM operates. The requirement of reversibility 
is guaranteed by demanding that the mapping (p, m) > 
(A(p, to), B(p, m), C(p, to)) be bijective. 

Therefore, there is a particular limiting casc in which 
a quantum TM becomes a reversible classical TM. This 
fact is somewhat reminiscent of the familiar correspon- 
dence principle of quantum mechanics to recover classical 
mechanics. This principle played a fundamcntal role in 
the development of the old quantum theory and the be- 
ginnings of the modern quantum mechanics. Here we are 
following a similar path by starting with a revision of the 
classical fundamentals of information and computation 
to thereby devclop their quantum versions. 



1. Quantum Parallelism 

The capability of a quantum TM of being in several 
computational basis states at the same time is called 
quantum parallelism, and is one of the defining features 
of a QTM. The classical counterpart of this is the notion 
of classical parallelism introduced in Sec. 
quantum version of doing "many things at a time" 
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classical parallcl computer is the possibility of being in 
many states at a time in a quantum computer. Further- 
more, in a classical computer it is not enough to have a 
large number of processors connected in paral·lel in order 
to perform computations efficiently. It is also necessary 
to have all of them appropriately synchronized to avoid 
message jams and disruptive functioning of the several 
processors which would not operate cohercntly. Likewise, 
quantum parallelism is not enough to achieve a successful 
quantum computation. Recali that the result of a quan- 
tum computation is probabilistic. There is not a 100% 
certainty that after measuring the final output state it 
will contain the correct result we are searching for. We 
need to repeat the measurement several times in order 
to retrieve the correct value of the function or procedure 
for which the computer was devised. If we program the 
quantum computer carelessly, this number of measure- 
ments would be exponentially large, and all the poten- 
tial advantages of quantum parallelism spoiled. What 
do we need to make good quantum programs? We need 
to reduce the number of trials to just a few. This fact 
will depend on how the evolution operator U{U + ,U~} 
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and the initial memory states |m) are prepared. In or- 
der to become good quantum programmers we must be 
smart enough so as to devise them in such a way that 
the màxima of the probability distribution in the out- 
put state correspond to the desired result, while the rest 
of possible results, which are useless for the purpose of 
our computation, must be somehow damped. We recog- 
nize this pattern of behaviour for the unitary operator 
U{U + ,U~} as the phenomenon of constructive interfer- 
ence of amplitudes in quantum mechanics. The typical 
example is the two-slit experiment. 

We shall present explicit examples of how quantum 
parallelism and constructive interference work together 
when we deal with quantum algorithms in Sec. [x[ Now, 
we summarize these correspondences between classical 
parallcl and quantum computers as follows: 

Classical Parallcl Computers 

i) many things at a time 
ii) synchronization of many processors 

I 

Quantum Computer 

i) many states at a time 
ii) constructive interference of many states 

The quantum version of parallelism cxcccds the classi- 
cal one, for whereas in a quantum computer it is possible 
to have an exponentially large number of available states 
within a reduced space, this capacity seems unreachable 
in any known classical parallcl computer. 

In quantum mechanics there are some bàsic principies, 
like the correspondenec principio, Hciscnbcrg's principio, 
Pauli's principio, etc, which encode the fundamentals of 
that theory. The knowledge of those principies provide 
us with the essential understanding of quantum mechan- 
ics at a glance, without going into the complete formal- 
ism of that subject. A similar thing happens with other 
areas in physics. In computer science there are also guid- 
ing rules to devise the architecture of a computer (hard- 
ware) and the programs to be run (software). Likewise, 
in quantum computing we have seen that there are bàsic 
principies that serve us as a guide to get the most profit 
from a quantum computer. These principies refer to the 
ideas of quantum parallelism and quantum programming. 
We know that information and computation is physics. 
Thus, there must be a connection between the principies 
of quantum computation and the principies of quantum 
physics. It is uscful to synthcsizc those relationships be- 
tween both ficlds in the form of bàsic principies, as shown 
cxplicitly in Table [v| 

By principies of quantum computation we mean those 
rules which are specific to the act of computing accord- 
ing to the laws of quantum mechanics. In this table we 
indicate that the quantum version of parallelism is re- 
alizcd through the superposition principio of quantum 



TABLE V: Principies of Quantum Computation. 



Computer Science 


Quantum Physics 


l st Quantum Parallelism 


— Superposition Principle 


2 nd Quantum Programming 


= Constructive Interference 



mechanical amplitudes; likewise the act of quantum pro- 
gramming a quantum computer should be closely related 
to constructive interference of those amplitudes involved 
in the superposition of quantum states in the registers 
of a quantum computer. We shall see these principies in 
action when studying quantum algorithms (see Sec. |x|) 
that supersede their classical counterparts. This fact ex- 
presses that the capabilitics of a quantum Turing ma- 
chine go well beyond those of a classical Turing machinc. 
The superposition principio when applicd to multipartite 
quantum systems like those of a quantum register ( see eq . 
( |7l| ) below ) yields the notion of entanglement (Sec. [II. A , 
Sec. [ÏÏO]). 



2. Universal QTM 

The notion of universal Turing machine can also be ex- 
tended to quantum Turing machincs. A Standard QTM 
is capablc of performing only the job for which it has 
been set up. This is so because the unitary operator 
U{U + , U~} and the memory quantum states |m) arc 
chosen to do one specific task. Deutsch (1985) has shown 
that the elements U{U + , U~} and |m) of a QTM can be 
devised to simulate with arbitrary precision any other 
quantum computer. This is the concept of universal 
quantum Turing machine. A universal QTM is thus a 
programmablc quantum computer. We now give more 
explicit details about how a quantum TM is programmed. 

Let / be the any function that we want to computo 
with the universal QTM, and let 7r(/) be a quantum pro- 
gram to do the job. The quantum computer will take the 
program 7r(/) and a given input value i and then com- 
pute the desired value /(i). This process is implcmcntcd 
in a QTM as follows. There exists an integer ng n such 
that 

tT*«»|0;0;7r(/),i,0) = |0; 1, 0; tt(/), i, /(i), 0), (67) 

where the halting qubit is set to 1 1) after the computa- 
tion ends. In this expression we assume that the initial 
quantum memory states are 

\mj = \n(f),i,0), (68) 

while the final memory states contain the answer f(i): 

|m fin ) = K/U/«,0). (69) 



If in eq.(67) we focus only on the memory states, then 
we can use a short-hand notation for the unitary evolu- 
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tion, namely, 



k(/),i,i> ^ k(/),i.i® /(«)>■ 



(70) 



Although a QTM has an infinite-dimensional memory 
space, much like a classical TM, we remark that only 
a finitc-dimcnsional unitary transformation needs be ap- 
plied at every step of the computation to simulatc thc 
associatcd QTM cvolution. 

The concept of a quantum Turing machine has many 
implications that we shall continue to present. Most of 
these implications amount to a revision of thc typical 
areas of classical computation in the light of the new 
principies of computation. For instance, now we can im- 
mcdiatcly addrcss how the thcory of comp lcxity gets af- 
fcctcd in its fundamentals. In Sec. VIII. A| we mcntioncd 
that this thcory deals with the issue of what a computcr 
can do. Namely, it studies not only which function can 
be computed, but also how fast and how much mem- 
ory resources are needed. This scheme must be modificd 
to convert it into a quantum complexity theory. In this 
new thcory of complcxity we must posc another ques- 
tion, "with which probability" can a quantum computcr 
achieve a certain task. See Appendix for details. 



quantum register is a string of qubits with a predeter- 
mined finitc lcngth. Thc space of all the possible register 
states makes up the Hilbert space of states associated to 
the quantum computer. If Ti. is the Hilbert space of a sin- 
gle qubit and j^j) S 7í, i = 1,2, a given basis state, then 
a basis vector |$) for the states of the quantum register 
is a tensor product of qubit states 



1$) 



1*2 



(71) 



A quantum memory register can store múltiple se- 
quences of classical bits in superposition. This is a man- 
ifestation of the quantum parallelism. 




FIG. 22: A genèric quantum lògic gate. The wavy lines 
mean that the output state is a genèric superposition of 
product quantum states. 



B. Quantum Logic Gates 

The quantum Turing machine is a bàsic model for 
quantum computation that deals with thc new charac- 
teristics poscd by quantum principies at a fundamcntal 
level, as compared with the classical functioning of a clas- 
sical Turing machine. However, a quantum TM is not a 
practical starting point for designing a quantum com- 
puter, much like the classical Turing machine is not a 
handy computer. 

Thc key idea is to decomposc thc functioning of a quan- 
tum computer into the simplest possible primitive opera- 
tions or gates. Thc identification of universal lòg ic gates , 
such as NAND, in classical computers (see Sec. VIII. D) 
was of great help in the developmcnt of the field. A 
universal gate such as NAND operates locally on a very 
reduced number of bits, actually two. However, combin- 
ing NAND gates in the appropriatc number and sequenec 
we can carry out arbitrary computations on arbitrarily 
many bits. This was very useful in practice for it allowcd 
device engineers to just focus on creating only a few de- 
vices, leaving the rest to the circuit designer. The same 
rationale applies to a quantum computer and the relation 
of a quantum Turing machine to quantum circuits. 

When a quantum computer is working, it is an evo- 
lution unitary operator that is effecting a predetermincd 
action on a series of qubits. Thcsc qubits form the mem- 
ory register of the machine or a quantum register. A 



A quantum lògic gate is a unitary operator acting on 
the states of a certain set of qubits. If the number of 
such qubits is n, the quantum gate is represented by a 
2™ x 2" matrix in thc unitary group U(2"). It is thus 
a reversible gate: we can reverse backwards the action, 
thereby recovering the initial quantum state from the fi- 
nal one. Generically, a quantum lògic gate can have any 
finite number of input qubits, but in practice we shall be 
interested in gates that are elementary for quantum com- 
putation, and those have a small number of input qubits. 
Diagrammatically, a quantum gate is represented by a 
"black box" wherein operation takes place, and a num- 
ber of input (output) lines, used to wire up a set of gates, 
cqual to the number of qubits involved in the computa- 
tion (sec Fig. ^2|). Let us see more explicitly how quan- 
tum gates look like by giving some representative gates 
in increasing order of complexity. 

1- Qubit Gates. These are the simplest possible gates for 
they take one input qubit and transform it into one out- 
put qubit. The quantum NOT gate is a one-qubit gate. 
Its unitary evolution operator Z7not is (11): 



Ui 



NOT 



1 

1 



(72) 



The truth table and the diagram representing this gate 
are shown in Table III and Fig. 03, respectively. We see 



See Sec. [X.C for more on quantum function cvaluation. 



that this quantum NOT gate coincides with its classical 
counterpart. However, there is a bàsic undcrlying diffcr- 
ence: the quantum gate acts on qubits while the classical 
gate does it on bits. This differcncc allows us to intro- 
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a) 



b) 



c) 



1-aO 



VNOT 



> 



H 



^v / NOTl a ') 



Un\x) 



FIG. 23: Quantum unary gates: a) NOT gate, b) VNOT 
gatc, c) Hadamard gate. 



duce a truly quantum one-qubit gate: the VNOT gate. 37 
Its matrix representation is 



U 



VWoT 



V2 



(73) 



This gate, when applied twice, gives NOT. Explicitly 



l+i / l+i l-i 

^\/NOT^\/NOT = l l-i l+i 1 • 1 l-i l+i 

1 2 2 / \ 2 2 



1 

1 



(74) 



?7not 



This gate has no counterpart in classical computers since 
it implements nontrivial superpositions of basis states. 

Another one-qubit gate without analogue in classical 
circuitry and heavily used in quantum computations is 
the so called Hadamard gate H (see Sec. III). It is defined 
as 



(75) 



2-Qubit Gates. The XOR {exclusive-OR) , or CNOT 
(controlled-NOT) gate, is an example of a quantum lògic 
gate on two qubits (|12|). It is instructive to give the uni- 
tary action í/xor,Cnot °f this gate in several forms. Its 
action on the two-qubit basis states is 



C/cnot|00) = |00), C/ C not|10) = |11), 
í/cnot|01) = |01), C/ C not|11) = |10). 



(76) 



From this dcfinition we see that the name of this gate 
is quite apparent for it means that it executes a NOT 
operation on the second qubit conditioned to have the 
first qubit in the state |1). Its matrix representation is 



C^cnot = Uxor 
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\0 1 0/ 
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The action of the CNOT operator (JT^) immcdiatcly 
translates into a corresponding truth table as in Table [Vj. 
The diagrammatic representation of the CNOT gate is 
shown in figure E4[ 
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TABLE VI: The truth table of the quantum CNOT gate. 
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FIG. 24: Quantum binary gates: a) CNOT gate, b) 
CPHASE gate, c) SWAP gate. 

We shall see how this quantum CNOT gate plays a 
paramount role in both the theory and experimental re- 
alization of quantum computers. It allows implcmcnting 
conditional lògic at a quantum level. 

Unlike the CNOT gate, there are two-qubit gates with 
no analogue classical gate. One example is the controlled- 
phase gate or CPHASE: 
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CPh(0) 
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It implements a conditional phasc-shift c I( ^ on the second 
qubit. 

An important rcsult is that we can reproduce the 
CNOT gate with a controlled-phase gate of <p = n and 
two Hadamards transforms on the target qubits as shown 
in Fig. Qty. This is a simply consequence of the relation 



(79) 



7 Square-root-of-NOT gate. 
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put qubits x' ,y' (sec Fig. ^6|), whilc the third output 
qubit z' is the XOR of the third input z and the AND of 
the first two inputs x 7 y. 



-e- 



FIG. 25: Relation betwccn CNOT gate and controlled- 
phasc using Hadamard gates. 
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TABLE VII: Truth table for the Toffoli gate. 



Other interesting two-qubit gates are the SWAP gate, 
which intcrchanges the states of the two qubits, and the 
vSWAP gate, 38 whose matrix representations are 
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FIG. 26: A set of threc-qubit gates: a) Toffoli gate, b) 
Deutsch gate, c) Fredkin gate. 
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The Deutsch gate D(6*) (Deutsch, 1989) is also an im- 
portant three-qubit gate. It is a controlled-controlled-S 
or C 2 ^ operation (see Fig. where 
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3- Qubit Gates. An immediate extension of the CNOT 
construction to three-qubits yields the CCNOT gate (or 
C 2 NOT), 39 which is also called Toffoli gate T (Toffoli, 
1981). The matrix representation is a one-qubit exten- 
sion of the CNOT gate, namely 



/l 0\ 

1 

1 

1 

1 

1 

1 

Vo 1 0/ 



^CCNOT = Ut 



(81) 



The associatcd truth table is shown in Table VII. The 



is a unitary operation that rotates a qubit about the x 
axis by an angle 9 and then multiplies it by a factor i. 
We demand 6 to be incommensurate to n, that is, not a 
rational múltiple of w. Several propertics follow: 1) Let 
\q) be a given qubit, then for any fixed value of a G K 
we can get arbitrarily close to e laíTa= \ q) by successive ap- 
plication of Us(6) to \q) a finite number of times. 2) The 
Deutsch gate generates as closely as needed the Toffoli 
gate. This is because the C 2 ^™ gate is just the D™ gate. 
And since we can make j(n8/n — 1), with n = 4fc + 1, 
as near to a given arbitrary integer as desired, D™ will 
thereby approach closely the Toffoli gate. 

Another instance of a three-qubit gate is the Fredkin 
gate F (Fredkin and Toffoli, 1982). It is a controlled- 
SWAP operation, schematically shown in Fig. ^ and 
representcd by the matrix 

/l 0\ 



first two input qubits x, y are copied to the first two out- 



U F = 



38 Square-root-of-swap gate. 

39 Controllod-controlled-not gate. 
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Ncedless to say that thcsc unitary linear gates not only 
act on the basis states, but also on any linear combination 
of them. 

We have enumerated a series of quantum lògic gates 
whose use and importance will be explained in the fol- 
lowing sections. We shall address the experimental im- 
plementation of some of these quantum gates in Sec. XI. 



C. Quantum Circuits 

The simple gates introduced in the previous section 
can be assembled into a network-like arrangement that 
enable us to perform more complicated quantum opera- 
tions than those initially carried out by those gates. This 
is the bàsic idea of a quantum circuit. Dcutsch (1989) 
generalized the classical reversible circuit model to pro- 
duce the idea of quantum circuits. A quantum circuit 
is a computational nctwork composed of interconnected 
elementary quantum gates. 

An example to illustrate a simple use of a quantum 
circuit is the following. Let us prepare initially a one- 
qubit state as an arbitrary supcrposition of the logical 
states |0), |1), namely 

hM = o|0) + 6|l). (84) 

We want to obtain a final state of GHZ type (^2|) : 

|^/} = o|000} + 6|lll). (85) 

To this purpose, instead of writing a pertinent scqucncc 
of algebraic operations, we can simply arrange the follow- 
ing quantum circuit using the CNOT-gate as pictured in 

ng. m. 



o|0) +6|1 




FIG. 27: An example of quantum circuit implementing a 
GHZ state. 

Quantum circuits are widely used in quantum compu- 
tation, where most of the problems can be formulated in 
terms of them. Moreover, it might quite well be the case 
that Standard quantum mechanics could be flooded with 
quantum circuits in the future, somcthing similar to what 
happcned with Feynman diagrams in quantum ficld the- 
ory. The reason is because quantum circuits are able to 
condensate graphically much more information than the 
use of several formulas. Bcsidcs, this form of present- 
ing and reasoning about is closcr to what experimental 
physicists really d o with their devices. 

In Sec. VIII. D| we presented the bàsic result that a 
clàssic Turing machine is equivalent to a classical lògic 



circuit. In quantum computing there is a similar result 
due to Yao (1993) showing that a quantum Turing ma- 
chine is equivalent to a quantum circuit. This theorem 
justifies replacing the more complicated study of quan- 
tum Turing machines by that of quantum circuits, which 
are simpler to analyze and design. In fact, experimental 
approaches to quantum computers are presented in terms 
of quantum circuits (see Sec. XI). 

Lct K be a quantum Boolean or lògic circuit with n 
input qubits. Suppose that |* x ) = J2 y e{o,i}« c x{y)\y) is 
the final quantum state of K for an input x G {0, l} n . 
The distribution generated by K for the input x is de- 
fined as the map p x : y G {0, 1}™ i— ► Ic^ (y) | 2 - The quan- 
tum circuit K is said to (n, t)-simulate a quantum Turing 
machine Q if the family of probability distributions p x , 
x G {0, 1}", coincides with the probability distributions 
of the Q configurations after t steps with input x. 40 Then 
Yao's theorem is the following statement: 

Quantum Turing machines and quantum circuits: Let 
Q be a quantum Turing machine and n, t positive in- 
tegers. There exists a quantum Boolean circuit K of 
polynomial sizc in n,t, that (n, í)-simulates Q. 

This result implies that quantum circuits can mimic 
quantum Turing machines in polynomial time, and vice 
versa. Thus, quantum circuits provide a sufficient model 
for quantum computation that is easicr to implcmcnt and 
manipulate than QTMs. This situation goes in parallcl 
with similar rcsults about classical Boolean circuits and 



Turing machines (Sec. VIII.D). From now on when talk 



ing about a quantum computer we shall usually refer to 
an underlying equivalent quantum circuit. 



1. Universal quantum gates 

After the works of Dcutsch (1989) and Yao (1993) 
the concept of a universal set of quantum gates became 
central in the theory of quantum computation. A set 
G '■= {Gi tTll , . . . , G rtn , r } of quantum gates Gj tfl . acting 
on nj qubits, j = 1, . . . , r, is called universal if any uni- 
tary action Un on N input quantum states can be de- 
composed into a product of succesive actions of Gj %nj 
on different subsets of the input qubits. More explicitly, 
given any U n acting unitarily on N qubits, there ex- 
ists a scqucncc Si, S2, ■ ■ • , S s of subsets of {1,2,..., N}, 
with ns 1 , . . • , n$ s elements, and a map n : {1, 2, . . . , s} — > 
{1, 2, . . . , r} such that n^u} = TiSj > Vj, and 



Un = Un,i 



Hcre 



U N ,< 



1 {1,2,...,N}-Sj 



)· S 3 ' 



(86) 



(87) 



40 We assume that a given configuration is oncoded as a list of the 
tape symbols from celi — t to t, followed by the state and th e pos i- 



tion of the cursor, all encoded as strings of qubits (see Sec. IX. A). 
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where I{i t 2,...,N}-S- lS thc idcntity on the qubits not in 
Sj, and Uc^rj^Sj stands for the unitary action of the gate 
Gir(j) on the Hilbert space of the ns qubits in the set 

For instance, a genèric unitary k x k matrix of dimen- 
sion k > 2 can be represented as the product of k(k— 1)/2 
two-level unitary matrices (Reck et al., 1994). 

This notion of universal set of gates is exact for the 
genèric transformation Un is rcproduced exactly in terms 
of a finite number of elements in Q. We denote this situ- 
ation by writing the universal set as Ç7 ex . However, this 
notion is too strong. Dealing with practical quantum de- 
vices, it is not conceivable to work with a set of gates im- 
plementing any other gate with perfect accuracy. Thus, 
we arc inevitably led to work with approximatc simula- 
tions of gates. Underlying this idea thcrc is the conccpt 
of distance between two unitary gates. 

A quantum gate Un is said to be approximated by 
another gate U' N with error < e, when the distance 
cI(Un 7 U' n ) := infggR ||í/jv — e ie C/^|| between both matri- 
ces as projective operators is < e. 41 ' 42 This means that if 
the gate Un is rcplaccd by gate U' N in a quantum circuit 
K, then the unit rays of the associated output states will 
differ in norm by at most e. 43 

With this definition, we also introduce the notion of 
an approximate set of universal quantum gates as before 
but with the weaker requirement that it simulates any 
other quantum gate in an approximate sense. We denote 
these sets as Ç/ ap , and by universality we shall mcan it in 
this sense henceforth, unless the exact notion is explicitly 
indicated. 

Somc cxamples of universal sets of quantum gates, to 
be discussed next, are the following (for a more mathe- 
matical and general approach, see Brilynski et al., 2001): 

1. Gl x := {U 2 : U 2 6 U(2 2 )}, (DiVinccnzo, 1995). 

2. OH := {[/i,CNOT : U x € U(2)}, (Barenco et al., 
1995). 



6. C 



VI 

ap 



{IW,CNOT}, with W := diag(l, é*/ A ), 



3- Gil ■= {D}, Dcutsch gate (82), (Dcutsch, 1989) 



4. C 



IV 



= {C 2 -Ï7, C 2 -W}, with U(a) := R y {^a) = 
7y , W{a) := diag(l, e l27ra ), a an irrational 



root of a degree-2 polynomial (Aharonov, 1998). 



(Cleve, 1999). 

Of these examples, 1/ and 2/ correspond to infinite 
sets of universal gates. However, a practical quantum 
computer must have a set with a finite number of uni- 
versal gates. Examples 3/ to 6/ are finite suitable cases. 
Although with a finite set of gates we are limited to sim- 
ulate a countable subset of all possible quantum gates, 
it is possible to reproduce an arbitrary gate within a 
given small error e. Moreover, a finite universal set Gap is 
closer to the spirit of the Church-Turing principle stating 
that a computing machine must operate by finite means 
(Sec. pCA)). 



5. G: P := {H,CPh(f )}, flrçD, <&, (Solovay, 1995; Ki- 
taev, 1997; Cleve, 1999). 



A first cxamplc of 3-qubit universal gate is the Dcutsch 
gate (Deutsch, 1989], 44 which is an extension of the Tof- 
foli gate í7ccnot ( |8l| ) (Toffoli, 1981) for classical Boolean 
circuits. Toffoli gates are exactly universal for reversible 
(classical) circuits. 45 Deutsch showed that his gate D(#o) 
with a fixed angle 9q that is an irrational múltiple of tt is 
universal. 

A further improvement in the analysis of quantum 
universal gates was provided by DiVinccnzo (1995) who 
showed that the set of two-qubit gates is exactly univer- 
sal for quantum computation. This is a remarkable result 
since it is known that its classical analogue is not true: 
classical reversible two-bit gates are not sufficient for clas- 
sical computation. The NAND gate, although binary, is 
not reversible. 

Aftcr DiVincenzo's result it was shown that a large 
subclass of two-qubit gates are universal (Barenco, 1995) 
and moreover, that almost any two-qubit gate is univer- 
sal. 

The reduction from three to two qubits amounts to a 
big simplification in the analysis of quantum circuits and 
in their experimental implemcntation. It is much simpler 
to deal with two-body quantum interactions than with a 
thrcc-body problcm. 

The race towards bringing down the number of neces- 
sary qubits in the elementary gates culminated with the 
joint work of Barenco et al. (1995) in which it is shown 
that even one-qubit gates are enough for quantum com- 
putation (in the exact sense) provided they are combincd 
with the CNOT gate. This result, another manifestation 
of the superposition principio, is quite surprising since in 
classical computation the classical CNOT is not univer- 
sal. 



41 The norm ||A|| of the (finite) matrix A is usually defined as 
sup^.. 1 1 ^ 1 1 _ 1 ||Ax||. Other norms are topologically equivalent to it. 

42 A compactness argument shows that the inf in the definition 
of d is attainable, i.e. 39 Q such that d(U N ,U' N ) := \ \U N - e w o U' N \ \ . 
From now on, we will assume that the phase factor is included in 
the approximating unitary operator U' N . 

43 The unit ray of a state vector \<f>) is the set [</>] := {e l9 |</>} : 
£ R}. A distance between unit rays can be defined as 
dist([(/>i], [02]) = infesin 1 101 — e lS 02||, what justifies the presence 
af a phase factor in the notion of an appproximate gate. 



44 Previously Deutsch (1985) had already given a universal set of 
cight 2x2 matrices. 

45 To see that C 2 -NOT is classically universal, notice that: 
1/ NOT(x 3 ) = (CCNOT(l,l,x 3 )) 3 ; 2/ AND (n, pa} 



(CCNOT(xi,x 2 ,0)) 3 ; and apply now the result (Sec. |VIH.D| ) 
that {AND, NOT} is a classical universal set. See in addition 
that the COPY operation is also reproduced as COPY(x2) = 
(CCNOT(l,x 2 ,0)) 2 , 3 . 
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FIG. 28: Decomposition of an arbitrary two-qubit CU 
gate into one-qubit gates and CNOTs. The symbol E 



denotes the gate E ^ |0), |1) 
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We shall refer to this important result as the universality 
theorem of elementary quantum gates. The proof of this 
result (Barenco et al., 1995) can be simply stated in terms 
of quantum circuits and it has three parts. Firstly, we 
need to prové that with one-qubit gates plus CNOT it 
is possible to generate any controllcd-unitary two-qubit 
gate. Secondly, this result is extended to a controlled- 
unitary gate with an arbitrary number of qubits. And 
thirdly, one applies these results to construct any unitary 
gate with one-qubit and CNOT gates. 

lst Part. The proof of the first part is containcd in 
the identity between quantum circuits shown in Fig. |2^. 
In the lower part we show a controlled-unitary CU gate 
of two qubits associated to a unitary 2x2 matrix U. 
The upper part shows its decomposition in terms of one- 
qubit gates C/i, U 2 , U 3 , E and CNOT's. The rationale of 
this decomposition comes from group theory: any unitary 
2x2 matrix U can be decomposed as 

U = Ph{S)Ü, Ü:=R z (a)R y (f3)R z { 7 )eS\J(2) (88) 

where S is the phase (mod tt) of the U(l) factor of U(2), 
and a, f3, 7 are the Euler angles parameterizing the SU(2) 
matrix Ü. Morc cxplicitly, 



Now, the equivalence between the quantum circuits of 
Fig. |28| proceeds by considering the two possibilities for 
the first qubit. 

i) \xi) = |0). In this case the CNOT gates are not 
operative and using ( ^0| ) we find that the second qubit 
\x?) is not altered. 

ii) \xi) = |1). In this case the CNOT gates do act 
on the second qubit producing altogether the chain of 
operations Ph(S)Uia x U2cr x U3\x2) , which using ( J90| ) turns 
out to be U\x2). Recali that the controlled-CT^ gate is 
CNOT. 

2nd Part. The proof of the second part is represented 
in Fig. |2^ by another identity between quantum circuits. 
The proof is by induction on the number of qubits. We 
illustrate the simplest case. In the lower part we show a 
controllcd-controllcd-unitary C 2 U 2 gate of three qubits 
associated to the square of an arbitrary unitary 2x2 
matrix U. The upper part shows its decomposition in 
terms of controlled two-qubit gates (which in turn were 
already decomposed into one-qubit gates and CNOTs in 
the first part) and CNOTs. 
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FIG. 29: Building-up a controlled-controlled-C/ 2 three- 
qubit gate from elementary gates. 
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With the help of this decomposition we can further 
show that for any unitary matrix U in SU(2) there exist 
matrices U\, U 2) U3 in SU(2) such that 



U!U 2 U 3 = 1, 
Uia x U 2 (J x U 3 = Ü. 

The proof for this is by construction, namcly, 

U 1 =R z {a)R y {\p), 

U 2 =R y {- l 1 P)RÀ-\(a + l))i 
U 3 = R z (í(-a + j)). 



(90) 



(91) 



The proof of this equivalence proceeds by considering 
the possible actions on the third qubit depending on the 
state of the other two qubits: 

i) = |0). In this case, the two CNOT gates become 
inactive and so does the second controlled-í7 gate. We 
have two possibilities: a) if \x2) = |0) then neither of the 
remaining controlled gates operate and the net result is 
to leave \x 3 ) unchanged; b) if \x 2 ) = |1) then the effect 
is now WU\x$) = \x%), as before. 

ii) IX1X2) = 1 10) . Now the CNOT gates do operate 
on the second qubit \x2), and the second controlled- U 
gate acts on the third qubit. However, the first [/-gate is 
inactive. Thus, the first CNOT gate changes the state of 
\x2) to |1) and this makes the W-gaic become operative. 
Later, the action of the second CNOT brings the second 
qubit back to |0). Altogether, the final effect on \x 3 ) is 
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to yield UW\x 3 ) — \xs), and remains unchanged again. 

iii) IX1X2) = In this case we need to producc 

the action of U 2 on the third qubit. Now, all the gates 
in Fig. ^ become operative and we make a sequential 
counting of their effects. As fa) = |1), the first ÍJ-gate 
does operate on the third qubit. Next, the action of 
the first CNOT gatc sets \x 2 ) = |0) so that the W-gate 
becomes inactive. Then the second CNOT gatc puts the 
second qubit back to Altogether, the final effect on 
\x 3 ) is to yield UU\x 3 ) = U 2 \x 3 ), as required. 

Finally, we can always choose the initial matrix U as 
the square root of a unitary matrix, say U 2 = V, such 
that the output in Fig. pi is a C 2 V A -gate. For instance, 
if we choose U = e 17T ^ 4 R^(^9) we reproduce the Deutsch 



gate fl82|). 

Moreover, we can go on and provide a construction 
of an arbitrary C n V transformation (useful in quantum 
algorithms) by extending the construction in Fig. |2^ 
to an arbitrary number of qubits. For instance. for a 
controlled-[/ 2 gate of 4 qubits we would have another 
qubit line on Fig. |29|b) and then the construction holds 
by adding only a similar line to Fig. |29|a) so that the two 
CNOT gates become CCNOT (C 2 NOT) gates and the 
last C 2 Í7 gate also picks up another control qubit gate. 
In general, for a n-qubit C"" 1 ^ 2 gate that has n — 1 
control qubits and one target qubit where U 2 acts, the 
construction in Fig. is generalized by simply using gen- 
eralized C™ _2 NOT gates with n — 2 control qubits and a 
last C n ~ 1 U gate with n — 1 control qubits. The proof of 
this generalized construction follows straightforwardly. 

3rd Part. Combining finally the results in Parts 1 and 
2 with the previuosly known construction of an arbitrary 
unitary matrix U as a product of two-level (not neces- 
sarily one-qubit) unitary matrices of Reck et al. (1994), 
one can easily represent U through one-qubit and CNOT 
gates, concluding this way the proof that one-qubit gates 
plus CNOT is a set of elementary gates for exact univer- 
sal computation (Barcnco et al., 1995). 

So far we have only cared about the possibility of re- 
constructing a genèric quantum gate from a given set of 
gates. The complexity of these constructions, measured 
by the number of bàsic gates necessary to achieve a cer- 
tain gate simulation, is of great interest. 

As an example of this issue, it is also interesting to 
count how many elementary gates in Gl* are needed to 
simulate a general C n U gate. For instance, for a C 2 U 
gate the first part of the proof yields 4 one-qubit gates 
and 2 CNOT's. For a genèric controlled gate of n con- 
trol qubits C n U, the second part of the proof yields a 
quadratic dependence on n. To sce this, let us denote 
by C n the cost of simulating a G n U gate. From the first 
part of the proof we know that the cost of simulating the 
U- and [7^-gates in Fig. ^9| is order 0(1); 46 on the other 
hand, it is not difficult to show that the cost of the two 



C"- 1 NOTs is 6(n + 1) (Barenco et al., 1995). The cost 
of the generalized C n ~ 1 U gate is C„_i, by recursive ap- 
plication of the recursive construction. Altogether, the 
cost of a gate satisfies a recursion relation like this 



C„ = C n _ 1 + 6(n + l) J 



(92) 



whosc solution yields C n = 0((n + l) 2 )- 

What is the size (number of gates) for exactly simulat- 
ing an arbitrary gate of n qubits in U (2™)? Barenco et al. 
(1995) showed that using the universal set this cost is 
0(n 3 4™); 47 Knill (1995) reduced this bound to 0(n4"). 

However, we are also interested in the efficiency of the 
approximate simulation of a genèric gatc. The univer- 
sality property of a set of gates Ç7 ap means that, given 
an arbitrary quantum gate U S U(2") and e > 0, 
we can always devise an approximate quantum gate U' 
generated by G ap such that d(U, U') < e. The errors 
scale up linearly with the number of gates: given N 
gates Ui and their approximations U-, then the telescopic 
identity U^.Un - U[...U' N = Ei<k<N U í~ u 'k-i( u k ~ 
U' k )Uk+i-~UN yields immediately \\U\...Un — U[...U' N \\ < 
Ne. 

This construction can be done efficiently using 
poly(l/e) gates from the universal set (Lloyd, 1995; 
Prcskill, 1998). Although we will not prové it, the un- 
dcrlying reason is simple: 1/ any universal set gener ates 
unitary matrices having eigenvalues with phases incom- 
mensurate relative to 7r; 2/ if 9/ir £ R is irrational, then 
the integral powers e , k € Z are dense in the unit circle 
S'í, and given e > 0, any e 1Q € S'í is within a distance e 
of some e m9 with n = 0(1/ e). 

As a matter of fact, we can do much better than ap- 
proximating a given n-qubit gate with circuits of size 
poly(l/e) in the universal set Gap- A theorem of Solo- 
vay and Kitaev shows that it is possible an exponcntially 
improved approximation (Solovay, 1995; Kitaev, 1997): 
Let Gap be an arbitrary finite universal set of gates, i.e. 
Gap generates a dense subset in U(2"). Then, any matrix 
U G U(2 n ) can be approximated within an error e by a 
product of O(poly(log(l/e)) gates in Ga P (more precisely, 
0(poly(log(l/e))'= (9(log c (l/e)), with c w 2). The idea 
of the proof is to construct thinner and thinner nets of 
points in U(2") by taking group commutators of unitàries 
in previous nets. It turns out that this way the width of 
the resulting nets decreases exponentially. 

Finally, when the above Solovay-Kitaev theorem is 
combined with the complexity for exactly simulating 
gates with Gl^, and the linearity of the error propaga- 
tion with the number of gates, it immediately follows 



3 One writes y = 0(x) to denote that both y = 0(x) and x 



0(y) hold simultaneously. 

47 The factor n 3 arises from the cost 0(n) to bring a genèric two- 
level matrix to a C n-1 -unitary matrix which in turn costs 0(n 2 ). 
The dominant factor 4 n just counts asymptotically the maximum 
number of two-level unitary factors in the Reck et al. decomposi- 
tion. 
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that any unitary gate U £ U(2 n ) can be approximatcd 
to within error e with 0(n4™ log c (n4™/e)) gates in any 
Çf ap . Note that this rcprcsents an cxponcntial complexity 
in the number of qubits, i.e. most gates will be hard to 
simulate. 
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2. Arithmetics with QCs 



FIG. 31: A gate for function evaluation. 



The universality theorem of elementary quantum gates 
is a central result in the theory of quantum computation 
for it reduces the implcmentation of conditional quan- 
tum lògic to a small set of simple operations. How- 
ever, with a computer we are typically interested in do- 
ing arithmetic operations and thus we need to know how 
to perform quantum arithmetics with universal quantum 
gates. Vedral, Barenco and Ekert (1995) provided efi- 
cient ways of doing arithmetic operations such as addi- 
tion, multiplication and modular exponentiation building 
on the Toffoli gate. The key point in their constructions 
is that we have to preserve the coherencc of quantum 
states and make those operations reversible, unlike in a 
clas sical com puter. For instance, the AND operation of 
Sec. VIII. D] can be made reversible by embedding it into 
a Toffoli gate (Ekert, Hayden and Inamori, 2000): setting 
the third qubit to zero in (|8Ï]) we get 

U C cnot\xi,X2,x 3 = 0) = \xi,x 2 ,xi A x 2 ). (93) 

Similarly, the quantum addition can be embedded into 
a Toffoli gate as shown in Fig. |3(] with the help of a 
CNOT gate for the first two qubits. The result of the 
addition is stored in the second qubit. 
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FIG. 30: The quantum addition from a Toffoli gate. 



A quantum multiplication can be implemented in a 
similar fashion and also the exponentiation modulo N 
(Vedral, Barenco and Ekert, 1995). T his la tter operation 
is central in the Shor algorithm (Sec. X.D ). 

Anothcr important operation that must be imple- 
mented in a quantum circuit is the evaluation of a func- 
tion /. This must again comply with the requisite of 
reversibility, which is accomplishcd with a [//-gate as 
shown in Fig. ^ï|, where Uf is a unitary transformation 
that implemcnts the action of / on certain qubits of the 
circuit. In this figure the box representing the evaluation 
of the gate is a kind of black box, also called quantum ora- 
cle, which represents the way in which we call or evaluate 
the function /. These evaluations are also called queries. 



Reversible implcmentation of / requires to split the 
quantum register storing an initial state | "l'o) into two 
parts: the source register and the target register, namely, 



l*o> 



I*. 



(94) 



where |\& g ) stores the input data for the computation 
and l^t) stores the output data, that is, the results of 
the quantum evolution or application of lògic gates. 

Thus, in order to implcment a Boolean function / : 
{0, l} m — ► {0, 1} in a quantum circuit we need the ac- 
tion of a unitary gate Uf acting on the target register as 
follows 



Uf\xix 2 
\xix 2 . . . 



n)sFm+l)t — 

\x m +i © f(Xi, 



•'■'2 • 



0)t- 



(95) 



Why is it not possible to evaluate directly the action of 
/ by a unitary operation that evolves |x) into \f(x))7 
The answer lies in unitarity of computation: we know 
that orthonormality is preserved under unitary transfor- 
mations, thus if / is not a one-to-one mapping then two 
states \x\x 2 . . . x m ) and | ) that arc initially or- 

thonormal could evolve into two non-orthonormal states, 
say \f(xi,x 2 , ■ ■ -,x m )) = \ f(x' 1 ,x 2 , . . .,x' rn )). 

In the following we shall omit for simplicity the sub- 
scripts denoting source and target registers. 



X. QUANTUM ALGORITHMS 

In this section we present a survey of the most rep- 
resentative quantum algorithms to date, named after 
Deutsch-Jozsa, Simón, Grover and Shor, without enter- 
ing the many spinoffs and ramifications that they have 
led to (Berstein and Vazirani, 1993; Hogg, 1998; Kitaev, 
1995; etc). We also usc these quantum algorithms to em- 
phasize and see in action the main ideas concerning the 
principies of quantum computation introduced in Sec. IX. 



Due to space constraints, we have left out some in- 
teresting developments like quantum clock synchroniza- 
tion i8 (Chuang, 2000; Jozsa et al., 2000) and quantum 



48 A way to make two atòmic clocks start ticking at once. This 
can also bc conside red a s an application of the quantum Fourier 



transform (see Sec. SC.D for quantum phase estimation (Cleve et 
al., 1998) 
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Eisert, Wilkcns and Lcwcnstcin, A. Deutsch-Jozsa Algorithm 



games (Meyer, 1999 
1999) 49 . 

The mcrging of Quantum Mcchanics and Information 
Theory has proved to be very fruitful. One of the prod- 
ucts of this is the discovery of quantum algorithms that 
outperform classical ones. It is appealing to think that 
the outcome of this merging is the fact that we can take 
classical algorithms and devise quantization processes in 
order to discover new modificd quantizcd versions of clas- 
sical algorithms. By quantizing a classical algorithm it is 
simply meant the possibility of using quantum bits in a 
quantum computer as oppossed to the classical bits, and 
all the consequences thereof. This way of thinking is rem- 
iniscent of a well-known procedure of studying a quantum 
system by starting with its classical analogue and making 
a quantization of it, using for instance Dirac's prescrip- 
tion. One instance of this proposal is Shor's algorithm 
(Sec. X.D| ). In fact, Shor's algorithm relies on its ability 
to find the period of a simple function in number theory. 
The known classical algorithms for this task are ineffi- 
cient because, as mentioned in Sec. VI, they have subcx- 



poncntial complexity in the input lcngth (unlcss hard in- 
formation is supplied aside). However, whcn qubits are 
used to implcmcnt the common algorithm (wc quantize it 
in our language), then the principies of quantum compu- 
tation shorten the task to polynomial time. Of this dràs- 
tic improvement are responsible the peculiar pr oper tics 
of the discrete quantum Fourier transform (Sec. X.D ). 

Shor's algorithm also illustratcs another common fea- 
ture of the quantum algorithms known so far: they are 
best suited to study global propertics of a function or a 
scqucncc as a wholc, likc finding the period of a function, 
the median of a sequence, etc, and not individual details. 
When the value of the function is needed for a particular 
choice of the argument, no real advantage is gained: one 
has to extract it from the quantum superposition and 
this may generally require measuring many times on the 
output to compensate the low probability, exponentially 
small in the register length, of getting the desired result. 

Let us point out that it is possible to givc a unificd 
picture of most of the fortheoming algorithms in terms 
of the hidden subgroup problem: to find a generating set 
for a subgroup K of a finitely generated group G, given 
a function / : G — > X, where X is a finite set and / is 
constant and distinct on the if-cosets. Somc instanecs 
of this problem arc the Deutsch-Jozsa, Simón and Shor 
algorithms (Mosca and Ekcrt, 1999; Boneh and Lipton, 
1995). Likewise, one may prohtably view the quantum 
computation process as a multiparticle quantum interfer- 
ence (Cleve et al., 1998). However, we have adhered to 
a more traditional and historical pathway of presenting 
these quantum algorithms. 



This is the quantum algorithm first introduced by 
Deutsch (1985), providing an explicit and concrete ex- 
ample of how a quantum computer can beat a classical 
computer. Later, it was extended to more complex sit- 
uations by Deutsch and Jozsa (1992). We shall present 
first an improved version (Cleve et al., 1998) of this al- 
gorithm for the simplest case of a Boolean function of a 
single qubit. 

Suppose we are given an oracle which upon request 
computes a function / : {0,1}" — > {0,1}. No other 
information on / is available, just the promise or as- 
sumption that / is cither constant (i.e. \fx±,X2 € 
{0, 1}™, f{x\) = f{x2)) or balanced (in the sense that 
= #/ _1 (l), i-c the numbers of arguments 
mapping to and to 1 are equal). The problem is to 
ascertain whether / is constant or balanced with as few 
queries to the oracle as possible. 

The result of the DJ algorithm is that we only need 
one query or function evaluation to determine the nature 
of /, while classically 2™ _1 + 1 consultations would be 
necessary in the worst case. 

Let us see this first when n = 1. Now / is balanced 
iff /(0) ^ /(l), and thus the promise is worthless. The 
quantum circuit in Fig. |32| implements the D J algorithm, 
and embodies the following steps: 

Step 1. An initial quantum register is prepared with two 
qubits in the state := |01). 

Step 2. The Hadamard gatc J75| ) is applied bit-wise to 
this quantum register, producing the state 

|* 2 ) := U H \Q) ® U H \l) = ±(|0) + |1» ® (|0) - |1». (96) 

Step 3. We query the /-oracle with the state l^), and 
get the answer |^ 3 ) := Uf {^2)- Using ( p5| ) we readily 
find 



l*3> = ü>èE a =o,iN)(|o)-|i» 
= èE,=o,i(-i) /(a!) k)(|o>-|i»· 



(97) 



49 Quantum games appear «n far to be more related to quantum 
communication protocols (Sec. |lll| ) or to applications of the above 
quantum algorithms. 



Step 4- The Hadamard gate is applied again to the first 
qubit, what yields 

i* 4 > : = \ Eí-^^i^d )-! 1 )) 

2=0,1 

= ^72 E + (-ir +/(a °ii>] ® (io) - 11». 

K=0,1 

(98) 

Step 5. Finally, we measure (in the computational basis) 
the first qubit (the second qubit plays no role anymore). 
There are two possibilities: i) either / is constant, and 
then the first-qubit amplitude of |1) in (|9|) vanishes and 
we measure |0) with certainty; ii) or / is not constant 
and consequently it is balanced, in which case it is the 
amplitude of |0) in (|||) which vanishes and we measure 
|1) with certainty. 
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FIG. 32: Quantum circuit for the Deutsch-Jozsa algo- 
rithm. 



Therefore, with this DJ algorithm we only need to call 
once the function in order to determino whcthcr it is 
constant or balanced. 

Let us point out how the peculiarities of quantum mc- 
chanics enter in the algorithm and provide its power. In 
step 2 it is possible to prepare a superposition of all the 
basis states using the Hadamard gates which have no 
classical analogue. In step 3 we evaluate the function on 
all the basis states at one go. However, this is not enough 
and we need to use interference of the quantum ampli- 
tudes in step 5 to discriminate between the two possibili- 
ties we were searching for. This is a simple manifestation 
of the idea of using constructive interference to distil l the 
desired results as was already advanced in Sec. IX. A (see 
Table^). 

The extension of the DJ algorithm to a function of 
n qubits / : {0, 1}" — -> {0, 1} constrained to be cither 
constant or balanced can be done with the hclp of the 
quantum circuit shown in Fig. [33]. Following this circuit 
we can extend the previous 5 steps immcdiatcly. We pre- 
pare a source register with n qubits initialized to |0) and 
a target register with one qubit initialized to |1). With x 



we denote the integer x := x í^ associated to the 

string of bits x n -\ ■ ■ ■ x\Xq, and \x) := \x n -i . . . xiXq). 

Let |$i) := |0)|1). After the bit-wise application of the 
Hadamard gatc to |$i) we find 



KI>, 



U 



H 

2™-l 



$i) = (U H \0))(U H \0)) . . . (U H \0))(U H \1)) 



2 n/2 Z_, I 'y/2 y=l 



(99) 



Using (|95|), the function evaluation on |$2) yields the 
following state 



2"-l 



1$, 



VZ y=o,i 



2"/ 



x=0 



In the next step we apply again the Hadamard gates 
but only on the n source qubits. After some àlgebra we 



arrive at the final state 1*4) given by 
|* 4 ) := (E/f n ® l)|*a) 

a;=0 x'=0 ^ y=Q,l 



(101) 



where x ■ x' := J27=o XiX 'i e 

I f / i s constant, then it produces an overall sign factor 
in (101), and after the double summation only the state 
\x') = |0) survives. On the contrary, if / is balanced, 
then the same reasoning shows that such state has zero 
amplitude in 1*4). In summary, only when all the final 
source qubits are |0) the function is constant; otherwise, 
it is balanced. 

Thus, measuring the state of the source qubits we can 
determino the nature of / with certainty. 

This final measurement step allow us to take advan- 
tage of the interference among amplitudes obtained in 
previous stages. 

A single query to the function black box has proved 
sufficicnt. However, with the classical algorithms known 
so far we would requirc a number of 2 n_1 + 1 function 
evaluations (in the worst case) to determine with cer- 
tainty which type of function / is. This represents an 
exponential speed-up for this quantum algorithm. 

Let us point out that classically, given any 1 > e > 0, 
it is also possible to devise an efficient probabilistic al- 
gorithm such that running it a large enough number of 
times M (independent of the input length n) will deter- 
mine whether any given function / is constant or bal- 
anced, with error probability < e. This is the procedure: 
the function / is evaluated for M random choices of the 
argument. When any two of the vàlues differ, then we 
know that / is balanced. However, when all vàlues are 
equal then the error probability in claiming that / is con- 
stant will be less than 2 _M . Thus, it sufficcs to choose 
M such that 2~ M < e. In this sense, the quantum DJ 
algorithm is not such an impressive improvement over 
classical algorithms. 



11} 



Uf 



measurcmcnt 



measurcmcnt 

i 



measurcmcnt 



£*=o,i(-i)» 



FIG. 33: Extendcd Deutsch-Jozsa algorithm. 
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B. Simón Algorithm 

Simon's algorithm (1994) uses several tools of the DJ 
algorithm. It deals with a vector- valued Boolean function 
/ : {0, 1}™ — * {0, 1}™ which is constrained by the follow- 
ing condition or promisc: There exists a non-null vector 
p G {0, 1}™, called the period of /, such that f(x) = f(y) 
if and only if cither x = yonx = y@p. Note that such 
an / is forcefully a 2-to-l function. 

This algorithm finds the period p after a number 0(n) 
of function evaluations, while the known classical algo- 
rithms would require an exponential number of queries. 

The steps in Simon's algorithm can be seen in Fig. |34|. 
Both the source and target registers have n qubits each. 
The algorithm proceeds as follows: 50 
Step 1. The quantum registers are initialized to the state 

:= |0)|0) = |00...0)|00...0). 
Step 2. The Hadamard gate d73) is applied bit-wise to 
the source register, producing the state 



1*2 



(U H \0))...(U H \0))\0) 



1 2 ^ 



2"/2 ^ 
x=0 



(102) 



Step 3. The vector-valued function / is evaluated on the 
target qubits by applying the gate Uf. Using (|9^) wc 
readily find the entangled state (Sec. |ÏJ) 



:= U 



x=0 



(103) 



Step 4- A further application of the Hadamard gates to 
the source qubits results in the state 



ipj ]T [(-irv + (-i)^>y]\y)\f(x)). 



(104) 



2 «+i 



x.y—Q 



Note that only those qubit states \y) such that p ■ y = 
enter with non-vanishing amplitudes in 1*4). The re- 
maining ones are washed out by destructive interference. 
Step 5. An ideal measurement of the source qubits (in 
the computational basis) will necessarily yield a state \y) 
such that p ■ y = with probability 2~( n ~ 1 \ 
Step 6. Repeating the previous steps M times wc will 
get M vectors yu\ such that 

p-y® =0, i = l,...,M. (105) 

Solving this linear system with the Gaussian climination 
algorithm will yield the period p with probability large 
cnough provided M = 0(n). 



50 Somctimes one introduces, for didactical purposcs, a further 
step in which the target qubits are measured (Jozsa, 1997). 
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FIG. 34: Quantum circuit for Simon's algorithm. 



The cost of Simon's algorithm is 0(n 2 +nCf(n)), where 
C/(n) is the cost of evaluating the function / on inputs 
of length n. The term n 2 is just the cost of the Gaussian 
climination over Z2. 

However, a classical blind search would require 2" _1 + 1 
calls to the oracle in the worst case, and on the av- 
erage a number 0{2 n / 2 ) of function evaluations (Shor, 
2000). Thus, Simon's algorithm represents an exponen- 
tial speed-up. 

We note in passing that Simon's algorithm resorts to 
a classical algorithm (Gaussian climination) to finish off 
the job. We shall find another interesting collaboration 
between quantum and classical procedures in Shor's al- 
gorithm. 

C. Grover Algorithm 

The previous quantum algorithms show cxplicitly some 
instances wherc a quantum comput er beats a classical 
computer, as was advanced in Sec. VIII. A devoted to 
quantum Turing machines. However, they also present 
several drawbacks: 

i) utility. it is not clear what they are useful for in 
practical applications. 

ii) structure: the searched functions arc constrained to 
comply with certain promises. These are called struc- 
tured problems. Thus, we may feel as if those constraints 
quantumly conspire in favor of the DJ and Simón algo- 
rithms. 

Grover's algorithm (1996, 1997) represents an examplc 
of unstructured problem: one in which no assumptions 
are made about the function / under scrutiny. Thus, we 
can contrast classical and quantum algorithms on equal 
footing. Although it came after Shor's algorithm (1994), 
we present it first for it is quite related to the previous 
algorithms. 

The algorithm by Grover solves the problem of search- 
ing an element in a list of N unsorted elements. For in- 
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stance, searching a database like a telephone book when 
we know the number but not the person's name. When 
the size of the database becomes very large it is known 
to be one of the bàsic problems in computational science 
(Knuth, 1975). The utility of one such algorithm is guar- 
anteed. Classically, one may devise many strategies to 
pcrform that search, but if the elements in the list are 
randomly distributed, then we shall nccd to make O(N) 
trials in order to have a high confidence of finding the 
desired element. Grover's quantum searching algorithm 
takes advantage of the quantum mechanical properties to 
pcrform the searching problem with an cfficiency of order 
0(VN) (Grover, 1996; 1997). 

Let us state the searching problem in terms of a list 
£[0, 1, . . . , N— 1] with a number N of unsorted elements. 
We shall denote by xo the marked element in C that 
we are looking for. The quantum mechanical solution of 
this searching problem goes through the preparation of a 
quantum register in a quantum computer to store the N 
items of our list. This will allow exploiting quantum par- 
allclism. Thus, let us assume that our quantum registers 
are made of n source qubits so that TV = 2" . We shall 
also need a target qubit to store the output of function 
cvaluations or calls. 

To implement the quantum search we need to con- 
struct a unitary operation that discriminates between the 
marked item xq and the rest. The following function 



fx (x) := 



if x 7^ xo, 

1 if x = Xq, 



and its corresponding unitary operation ( p5| ) 

U fxo \x)\y) = \x)\y@f Xa {x)) 



(106) 



(107) 



will do the job. We shall need to count how many appli- 
cations of this operation or oracle calls are needed to find 
the item. The rationalc bchind the Grover algorithm is: 
1/ to start with a quantum register in a state where all 
the computational basis states are equally present; 2/ to 
apply several unitary transformations to produce an out- 
put state in which the probability of catching the marked 
state |xq) is large enough. 
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FIG. 35: The quantum circuit (up to an irrelevant global 
sign factor) for Grover's algorithm. 

We present now the steps in Grover's algorithm, with 
the quantum circuit shown in Fig. pq. 



Step 1. Initialize the quantum registers to the state 
|*!) : 00. ..0 1 . 

Step 2. Apply bit-wise the Hadamard one-qubit gate 
( |75| ) to the source register, so as to produce a uniform 
superposition of basis states in the source register, and 
also to the target register: 



1*5 



ui 



1+1) 



1 



2 (n+l)/2 



£ \x) J2 



x=0 



y=o,i 



(108) 



(109) 



Step 3. Apply now the operator U f x : 
1*3) :=^/. |*a> 

2 n -l 

= 2 _(„+i)/2 Y^(-i)t'°w\x) ^2 (- i )' y iy)· 

x=o y=o,i 
Let U Xo be the operator defined by 

U X0 \x):=(l-2\x«){x \)\x) = l·^ ) ^ X = XÇh 

y\x) it x j= x , 

(110) 

that is, it fiips the amplitude of the marked state leav- 
ing the remaining source basis states unchanged. Grover 
presents this operator graphically as in Fig. 36, with a 
sort of "quantum comb" w here the spikes denote the uni- 
form amplitudes of state ( 10S ) and the action of U Xo is 
to fiip over the spike corresponding to the marked item. 

uniform 



01 



FIG. 3 6: Sc hematic representation of Grover's operator 
U Xo in (fïT0|). 



We realize that the state in the source register of (109) 
equals precisely the result of the action of U Xol i.e. 



|*3) = ({l-2\x )(x \}® 1)|* 2 



(111) 



Step 4- Apply next the operation D known as inversion 
about the average (Grover, 1996; 1997). This operator is 
defined as follows 



D 



-(ur®i)u fo (u® n ®i), 



(112) 



where U / Q is the operator in ( J109] ) for xo = 0. The ef- 
fect of this operator on the source qubits is to trans- 
form Y, x a x \x) h-> Y, x (- a x + 2 ( a ))\ x )i where (a) := 
2~ n a x is the mean of the amplitudes, so its net effect 
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FIG. 37: S chcmatic representation of Grover's operator 



D in (112). The dashed line represents the mean ampli- 
tude. 



is to amplify the amplitude of \xg ) over the rest. This is 
graphically represented in Fig. |37] (Grover, 1996; 1997). 
Step 5. Iterate steps 3 and 4 a number of times m. 
Step 6. Measure the source qubits (in the computational 
basis) . The number m is determined such that the prob- 
ability of finding the searched item xq is maximal. 

The bàsic component of the algorithm is the quantum 
operation encoded in steps 3 and 4 which is repeatedly 
applicd to the uniform state in order to find the 

marked element. 

Although this procedure resembles the classical strat- 
egy, Grover's neatly designed operation enhances by con- 
structivc interfcrcncc of quantum amplitudes (see Ta- 
ble0) the presence of the marked state onc looks for. 

It is possible to give a more general formulation to 
the operators entering steps 3 and 4 of the algorithm 
(Galindo and Martin-Delgado, 2000). To this end it is 
sufhcient to focus on the source qubits and introduce the 
following definitions: 

i) A Grover operator G is any unitary operator with 
at most two different eigenvalues; i.e., G a linear super- 
position of two orthogonal projectors P and Q: 

G = aP + (3Q, P 2 = P 7 Q 2 = Q, P + Q = l, (113) 

wherc a, (3 € C are complex numbers of unit norm. 

ii) A Grover kernel K is the product of two Grover 
operators: 



K = G 2 Gi. 



(114) 



Somc elementary propertics follow immcdiatcly from 
these definitions: 

a) Any Grover kernel K is a unitary operator. 

b) Let the Grover operators G\ , G 2 be chosen such that 



d = aP X0 + f3Q X0 ,P X0 +Q X0 =1, 
G 2 = 7 P + <5Q, P + Q = l, 



(115) 



with P Xa = \xo)(xo\, and P given by the rank 1 matrix 

/1...1X 

: : . (116) 
\l ... l) 



This is clearly a projector P 
spanned by the state |fcg) = 



= |fco)(^o| on the subspace 
^=(1,...,1)\ wherc the 
superseript denotes the transposc. Then, if wc take the 
following set of parameters, 



a = -1, (3 = 1, 7 = -1, 5= 1, 



(117) 



the Grover kernel (114) reproduces the original Grover's 
choice (1996; 1997). This property follows immedi- 
ately by construction. In fact, we have in this case 
Gi = 1 - 2P X0 =; G xo whilst the operator G 2 = 1 - 2P 
coinc ides (up to a sign) with the diffusion operator D 
( 112 ) introduccd by Grover to implcmcnt the inversion 
about the average of step 4. 

The iterative part of the algorithm in step 5 corre- 
sponds to applying m times the Grover kernel K to the 
initial state \xi n ) := 2~ n / 2 J2 X \ x )i which describes the 
source qubits after step 2, searching for a final state \x{) 
of the form 



(118) 



such that the probability p(xo) of finding the marked 
state is above a given threshold value. We may take this 
value to be 1/2, meaning that we choose a probability 
of success of 50% or larger. Thus, we are seeking under 
which circumstances the following condition 



p(x ) = \(x \K m \x in )\ 2 > 1/2 



(119) 



holds true. 

The analysis of this probability gets simplified if we re- 
alize that the evolution associated to the searching prob- 
lem can be mapped onto a reduced 2D-spacc spanned by 
the vectors 



{\x }, \x±) 



1 



(120) 



Then we can easily computo the projections of the Grover 
operators Gi , G 2 in the reduced basis with the rcsult 



G 2 = 



S 
7 



Gr 



+ (7 - S) 



a 

(3 




(121) 



(122) 



From now on, wc shall fix two of the phase parameters 
using the frecdom we have to define each Grover factor 
in (114) up to an ovcrall phase. Then we decide to fix 
them as follows: 



a = 7 = — 1. 



(123) 



With this choice, the Grover kernel (112) takes the fol- 
lowing form in this basis: 



K = 



1 



l + í(l-iV) -P(l + 6)y/W~^T 



N + (5)VÏV— ï 0(1 + 8 -N) 



(124) 
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The source state |xi n ) has the following components in 
thc reduced basis 



1 



N 



N-l 

N 



x±_). 



(125) 



In order to compute the probability amplitude in (119), 
we introduce the spectral decomposition of thc Grover 
kernel K in terms of its eigenvectors |t2)}, with 

eigenvalues e 1 " 1 , e 1 " 2 . Thus we have 



a(x ) := (x \K m \x 
1 



2 

V ^ 



{ | (x \ Kj ) | 2 + VN-l(x \ Kj ) (k, \x±) } 



(126) 



This in turn can be cast into the following closcd form: 



(x \K m \x in ) = 



1 



ïmAu 



- 1)(x \k 2 }(k2\xí, 



(127) 



with Alu := lü2 — ui\. 

In terms of the matrix invariants 



T)etK = /36, TiK = 
the eigenvalues (1.2 := 
Ci, 2 = %TrK T 



-(P+5) + (l+P)(l + 5)-, (128) 



are given by 



-DetK + |(TrA') 5 



(129) 



The corresponding unnormalized eigenvectors are 



/ A^^/ -±{VctK)N 2 +A 2 
I «1,2) OC 2{1+S)VN-1 

V 1 



with 



.4 



(/3-S)N + (l-/3)(l + S). 



(130) 



(131) 



Although we could work out all the expressions for a 
genèric valuc TV of elements in the list, we shall restrict 
our analysis to the casc of a large number of clements, 
N — > 00 (sec Fig. |3^). Thus, in this asymptotic limit we 
need to know the behaviour for N 3> 1 of thc cigenvector 
IK2), which turns out to be 



\k 2 ) oc 



1 



(132) 



Thus, for genèric vàlues of /3, S we observe that the first 
component of thc cigenvector dominates over the second 
one, mcaning that asymptotically \k 2 ) ~ \xq) and then 
(xo\n2)(K2\xin) — 0(z7w)- This implies that the proba- 



bility of su ccess in (127) will never reach the threshold 
value (119). Then we are forced to tune the vàlues of 



the two parameters in order to have a wcll-dcfined and 
nontrivial algorithm, and we demand 



(133) 



Now the asymptotic behaviour of the eigenvector 
changes and is given by a balanced superposition of 
marked and unmarkcd states, as follows 



«2 



V2V 1 



(134) 



This is normalized and we see that none of the compo- 
nents dominates. When we insert this expression into 
(|Ï27|) we find 



\(x \K m \x in }\ 



Arn Alü 



il 



|sin(imAw)| . (135) 



This result means that we have succeeded in finding a 
class of algorithms which are appropriate for solving the 
quantum searching problcm. Now we need to find out 
how efficient they are. To do this let us denoto by M the 
smallest valuc of the time step m at which the probability 
becomes maximum; then, asymptotically, 51 



M ~ [|tt/Acj|]. 



(136) 




FIG. 38: Probability of success p as a function of the 
time step for N = 1000 and /3 = 5 = e i7r / 2 . 



As it happcns, we arc interested in thc asymptotic be- 
haviour of this optimal period of time M. From the equa- 
tion (|129|) we find thc following behaviour as N — > 00: 



•Jn 



(137) 



Thus, if we parameterize 5 = e 1 ^, then we finally obtain 
the expression 



M 



4cosf 



(138) 



51 Thc symbol [x] stands for the closest integer to x. 
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Thercforc, wc conclude that the Grover algorithm of 
the class parameterizcd by </) is a well-dcfmed quantum 
searching algorithm with an efhciency of order 0{-\f~N). 

There have been many applications of Grover's work 
to quantum searching: finding the mean and median 
of a given set of vàlues (Grover. 1996), searching the 
maximum/minimum (Durr and Hoycr, 1996), searching 
morc than one marked item (Boyer et al., 1998), quan- 
tum counting, i.c., finding the number of marked items 
without caring about their location (Brassard, Hoyer and 
Tapp, 1998), etc. There is also a nice geometrical inter- 
pretation of the Grover kernel K = —G^Gi in terms 
of two reflections G\ and — G2, one about |a;j_) and the 
other about |ïi n ), producing a simple rotation of the ini- 
tial state (Jozsa, 1999) by an angle 9 = 2arcsin-^= in 

the plane spanned by |xo) and \x±). With this construc- 
tion it is straightforward to arrive at the following exact 
condition for the optimal value m of iterations: 



(139) 



2 arcsin 



V/v 



Finally, it has been shown that Grover's algorithm is 
optimal (Bennett et al., 1997; Zalka, 1999), that is, its 
quadratic speed-up cannot be improved for unstructured 
lists. 



D. Shor Algorithm 

Shor's algorithm (1994) came as a wake-up call for 
cryptographers working with codes based on the difhculty 
of factoring large integer numbers 52 (see Sec. VI.A), and 
now it represents a Damocles' sword hanging over this 
type of cryptosystems. 

The algorithm of Shor has several parts that make it 
somcwhat involved. It may be useful to keep in mind the 
main ingredients entering this algorithm: 

i) A periòdic function. 

ii) Quantum parallelism. 

iii) Quantum Fourier transform. 

iv) Quantum measurement. 

v) Euclid's classical algorithm for finding the greatest 
common divisor gcd(ni, n?) of two integers ni, U2- 

Quantum computation opens the door to a new fac- 
torization method in polynomial timc (Shor, 1994). This 
is why, although the technological difhculties to succeed 
in their construction are enormous, 53 it is highly inter- 
esting to find systems for key distribution whose security 



(see Sec. VI. B| ) docs not rcly upon the practical difh- 
culty of factoring large integers. Quite ironically, quan- 
tum physics provides both a fast factor ization method 
and a secure key distribution (Sec. VLB ). 

Let N > 3 be an odd integer to factorize. Let a be 
an integer in (1,N). Let us assume that gcd(N,a) = 1, 
that is, TV and a are coprimes; otherwisc gcd(TV, a) would 
be a nontrivial factor / of TV, and we would restart with 
N/f. The integral powers a x of a form a eyelic group 
in := Z/TVZ, and there exists a smallest integer r <E 
(1, TV), called the order of a mod TV, such that a r = 1 in 
Zjy. Several cases may arise: 

1) r is odd; 

2) r is even and a r l 2 = — 1 in Zat; 

3) r is even and a r / 2 7^ —1 in Z^r. 

Only the case 3) is of interest for then gcd(TV, a r / 2 ± 1) 
are nontrivial factors of TV. 

It can be shown that, for any given odd TV, the prob- 
ability of picking up at random an integer a £ [1,TV] 
coprime to TV and fulfilling 3) is > l/(21ogTV), pro- 
vided that TV is not a pure prime power (Ekcrt and 
Jozsa, 1996). 54 Thercforc it will be enough to analyzc 
0(log(l/e) logTV) randomly chosen vàlues of a to succeed 
in obtaining a nontrivial factor of TV with a probability 
larger than 1 — e. For example, if TV = 21823, and a = 
12083, the order of a mod TV is r = 3588, and 120 83 1794 = 
4866 mod 21823, thereby gcd(120 83 1794 =p 1,21823) = 
{139, 157} are factors of 21823. On the contrary, al- 
though the order of a = 14335 mod TV is also even, 
namely r = 1794, however 14335 897 = -1 mod 21823, 
and gcd(14335 897 T 1,21823) = {1,21823}, so that no 
nontrivial factor of TV is now obtained. 

The big problem lies in computing the order r of a 
mod TV for large TV. And here is where the Shor algorithm 
comes in to quantumly search for the order r of an integer 
x in the multiplicative group 7L* N of integers modulo TV, 
by producing a state with periodicity r. 

As usual, we need two quantum registers: a source 
register with K qubits such that Q := 2 K £ (TV 2 ,2TV 2 ), 
and a target register with at least TV basis states (i.c. 
with |~log 2 TV] qubits). 

These are the main steps of Shor's algorithm (see 
Fig. |§): 

Step 1. Initialize the source and target qubits to the state 
:= |0}<8>|0>. 

Step 2. Apply on the source register the quantum Fourier 
transform (which is just the discrete Fourier transform 



52 '"phe problem of distinguishing prime numbers from compositc 
numbers and of resolving the latter into their prime factors is known 
to be one of the most important and useful in arithmctic" (Gauss, 
1801). 

53 As Preskill (1997) recalis, it is quite risky to make guesses in 
this ficld; fifty years ago it was foreseen that "Where a calculator 
on the ENIAC is equipped with 18,000 vacuum tubes and weighs 



30 tons, computers in the future may have only 1,000 tubes and 
perhaps only weigh 1 1/2 tons" (Popular Mechanics, March 1949), 
and the "future" has surpassed these expectations amply. 

54 There are fast power tests to detect whethcr N is a prime 
power, say N = p s , and to find p in that case (Cohen, 
1993). A rudimentary transcendental and not very efficient pro- 
cedure consists in trying with the integers IN 1 ' 11 ' \, IN 1 ^^, k = 
2,3,..., flog2 N~\ , until hopcfully finding one being a divisor of N. 
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|0) 



0) 



0L 
lo) 



prob(ç) = Ej=dP rob j(9)> where 



QFT 



prob Aq) := ^~ 



Bj-l 



^2 (c 2 ™ qr/Q ^ 



k=0 



(144) 



with Bj := 1+ [(Q - 1 - j)/r\ . 

To simplify thc àlgebra, an intermediate step is intro- 
duced in most discussions of Shor's algorithm in which 
the target qubits are measured prior to the sccond appli- 
cation of the QFT (Shor, 1995; Ekert and Jozsa, 1996). 
If |6) is the result, the source register will be projected 
onto a statc B^ 1 / 2 J2k=o \db + kr), supcrposition of basis 
states with the periodicity r of a q . Hcre db is the mini- 
mum non-negative integer such that a dh mod N = b, and 
B := 1 + l(Q — 1 — db)/r\ is the length of the series. Aftcr 
applying thc QFT and measuring the source qubits, the 
probability to obtain now |g) is just {Q / Bd b )proh db (q) . 

Let us see how to pull out the order r of a from the 
study of the above proba bilit y prob(<7). Thc analysis of 
the geometrical series in (144) shows that prob(g) peaks 
around those qs for which all the complex numbcrs in 
the sum fall in a samc half-planc of C, and thus they 
cnhance each other constructively. It can be shown that 
such qs are characterized by \{qr mod Q)\ < \r, they 
Here, as usual, q := YÏ]~ Q qfii , lo = °> ^ and l<?) : = number r, and satisfy prob(ç) > (2/tt) 2 /-- 1 ; therefore the 
|çq_i . . . qiqa). Thc following output state is produced: 



FIG. 39: A quantum circuit representing the Shor algo- 
rithm. 



Fq in Zq): 55 



q'=0 



,/Q W) 



(140) 



O-i 

|* 2 ) := (U Fq ® 1)1*!) = Q- 1 ' 2 ]T \q) ® |0). (141) 

This particular casc of the quantum Fourier transform 
corrcsponds to the Hadamard gatc acting bit-wise on the 
source qubits. 

Step 3. Next apply the gatc U a implementing the mod- 
ular exponentiation function çi-» a q mod A^: 

O-i 

|*3> := U a \V 2 ) = Q- 1 ' 2 J2 I?) ® W q mod N). (142) 

q=Q 

This operation computes at onc go a q mod N for all q as a 
manifestation of the quantum parallclism (see Sec. IX. A). 
Step 4- Apply again the Fourier transform Up Q on thc 
source register. Then the state becomes 



probability of hitting upon anyone of them is > (2/tt) 2 
0.405.... In Fig. [ï^the for m of prob(g) is shown. 



prob((7) 



Q = 2 8 



r = 10 
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250 q 



|*4> := (U Fq ® 1)1*3) 



Q 

-1 Q-l 



= n 1] e 27TÍqq ' /Q \q) ® \a q mod N). 

^ q=0 q'=0 



(143) 



Step 5. Measure the source qubits in the computational 
basis. The probability of finding them in the state \q) is 



55 This is spocially fast when Q = 2 K . 



FIG. 40: The probability prob(ç) for thc casc Q — 2 8 , r = 
10. It gets concentrated around the integers [sQ/r\ , with 
s integer. 

Thc condition of constructive interference (see Ta- 
ble 0) for each q > amounts to the existence of an 
integer q' G (0,r) such that \(q/Q) - {q'/r)\ < \Q~ X ■ 
As we have chosen Q > N 2 , and r < N, there exists 
a unique q' such that the fraction q' /r satisfies that in- 
equality. This rational number q' /r can be easily found 
as a convergent to the (finite simple) continued fraction 
expansion of q/Q. If this convergent is the irreduciblc 
fraction çi/ri, it may happen that a Tl = 1 mod N, 
which implics r = fi, and we are over. Otherwise, we 
would only know that n is a divisor of r, and we would 
have to carry on, choosing another q with constructive 
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interference, to see if this time we are luckier. It can 
be shown that the probability of finding an appropriate 
q is order 0(l/loglogr), and thercfore with a numbcr 
O(loglogTV) of trials it is highly probable to obtain r. 

For example, let be TV = 15 (this is a sort of "toy 
model"), and a = 7. We can effortlessly see by brute 
force that r — 4. Supposc, however, that we insist in 
following the Shor way (quite a luxury in this case, but 
a necessity if TV had half a thousand digits). We would 
takc Q = 2 8 to comply with N 2 < Q < 2TV 2 . Aftcr 
step 5 we would obtain the state \q) of the source qubits, 
where, for instance, q = 0, 64, 128, 192 with probabilities 
0.25,0.25,0.25,0.25. The first value is useless, for q/Q 
does not allow us to determine r if q = 0. From the 
continued fraction series expansion {ao, oi, 0,2, ■■■} := ao+ 
l/(ai + 1/(02 + -.)) of q/Q (64/256 = {0, 4}, 128/256 = 
{0, 2}, 192/256 = {0, 1, 3}) we see that for q = 64 (rcsp. 
128, 192), the fraction 1/4 (resp. 1/2,3/4) approximatcs 
q/Q with an error less than 1/2Q. Thus, 4 is a divisor 
of r, i.e. r = 4, 8, 12, etc. A direct check selects r = 4 
as the order of 7 mod 15. And since 7 4 / 2 ^ — 1 mod 15, 
then gcd(49 ± 1, 15) = {5, 3} are factors of 15. 

As a little more complicated example, takc N = 
25397, a = 71. Then Q = 2 30 = 1073741824. Thcrc 
are many vàlues of q for which the probability is appre- 
ciablc and similar. One of those is q — 6170930, for 
which prob(q) is about 2 x 10~ 3 . The approximation 
1/174 to q/Q is the only convergent with denominator 
< TV provided us by the continued fraction expansion 
{0, 174, 1542732, 2} of q/Q. Therefore, the order r of 71 
mod 25397 is a múltiple of 174, say r = 174,348,522, 
etc. A direct check shows that r = 522. Also in this case 
a r / 2 jè -1 mod TV, and gcd(71 261 ±l, 25397) = {109, 233} 
are divisors of 25397. 

In Fig. [ïï] the factorization time with an hypothetical 
quantum computer at 100 MHz is represented as a func- 
tion of binary length of the integer to be factorized. The 
spectacular efficiency of the Shor algorithm stands out, 
with a time of 20 years for an integer of about 40 000 
digits (Hughes, 1997). 
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FIG. 41: Factorization times with a hypothetical QC at 
a nominal clock frequeney of 100 MHz. The time t(n), 
in minutes, is shown as a function of the numbcr of bits. 



Shor's algorithm may secm a bit miraculous after those 
several "manipulations" or steps. The rationale is the 
same as described in Sec. IX: to drivc the system into an 



appropriate outeome state that upon measurement yields 
the desired result with high probability. Where does the 
constructive interference ingredient (Table 0) come into 
the algorithm? It is by mcans of the second QFT opera- 
tion. This is designed to produce the interference among 
qubit amplitudes in such a way as to enhance those as- 
pects of the output that favors the determination of the 
order r. 



1. The Quantum Fourier Transform 

Let us take a closer look at the discrete Fourier trans- 
form Up Q when Q = 2 K . It is at the core of Shor's al- 
gorithm and is responsible for its exponential speed-up. 
To analyze the efficiency of the Shor algorithm it proves 
convenient to implement the QFT by means of one- and 
two-qubit gates. The resu lt, shown in Fig. 42, will follow 
from the expression (140), duly worked out. 



The phase factor e 2mqq I 2 in ( 140 ) is a periòdic func- 
tion of q, and of q' as well, with period 2 . The num- 
bers q and q' have the following binary decompositions: 

Q = Epo 1jV><b = 0, 1 and ç' = X^" 1 q[2\q[ = 0, 1. 
Then their product can be written as 

A'-l 

qq' = E WÍ 2j+l = E Wl 2j+l mod Z Q- ( 145 ) 

j,l=0 0<j+KK 



By entering this expression into ( 140 ), and defining q[ :- 
q'x-i-n 1 = 0, . . . , K—l, O.abc . . . := 2- 1 a+2- 2 b+2- 3 c- 
. . ., we fmd 



U FQ \q) 



1 Q_1 
— E cxp(2Triqq/2 

^ q'=0 



O-i 



V ^ q>=0 0<j+KK 

— Eex P (27Ti e <n& j - l - l )W 

v ^ o'=0 0<j<KK 



(146) 



and henec 



Q-i K-\ 



U FQ \q) = -j= E (g) cxp(27ri E qP^q'M) 

q'-0 1=0 0<j<l 

A'-l 1 

= ~m E cx P( 27ri E q^-^M) 

V V ;=0 qí=0 0< i<l 



K-l 



l(|0) + exp(27ri0.gigi-i...g )|l». 



1=0 



(147) 
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In particular, the transformed state C/f q |<z) is separable. 
The QFT gate C/p Q can be explictly written as a product 
of Hadamard, controllcd-phase and SWAP gates: 



U 



f q 




SWAP,i,K-l- 



n 



l=K-l, 




(148) 



where 9j := n/2 J , Í7swap,í,j exchanges the qubit states 
labelled by i,j, and 



Uh,i\-U-) :=2- 1/2 J2 ^ 



■9i- 



U jtl {6)\... qi ... qj . 



3=0,1 
— JgiQjS 



(149) 



■ qi-q 3 - 



are the Hadamard gate action of the one-qubit \qi), and 
the controlled-phase gate action on the tw o-qub it state 
\qiqj), respectively. From the factorization (148) we can 
read off the quantum circuit (see Fig. (42| ) implcmenting 
the QFT (up to a reversion of the output qubits). 

The number of Hadamard gates in this implementa- 
tion of the QFT is K , and that of the controlled-gates 
is ^K(K — 1). Altogether this implies that the size of 
quantum circuit for Shor's algorithm is order 0{K 2 ) rc- 
gardless of the SWAP gates for the final reversion (Cop- 
persmith, 1994). 56 

The quantum Fourier transform can be extended to 
deal with qubits with a number of states d not necessarily 
equal to 2 (see Sec. III). In this case the dimension of 
the Hilber t spacc of K source qubits is Q = d K , and 
equations ( 140| , 149|) for the QFT. the Hadamard and the 
controllcd-phase gates hold true provided the phase angle 
is taken to be 



2tt 



(150) 



For instance, for qubits with d ~ 3 state or qutrits, the 
Hadamard gate takes the following explícit form 

C/f | ) = -L[|0) + |1) + |2)] 

C/f |l) = -^[|0)+c|l)+c 2 |2)] (151) 

C/f |2) 



V3 



[|0)+c 2 |l)+ W 3 |2)] 



In this general case, the sequence of one- and two-qubit 
gates for the decomposition of the QFT remains vàlid, as 
well as their counting. This implies that using qudits 
for QFT does not spoil its superb performance, while 
retaining the advantage of reducing by a factor of [log 2 d\ 
the length of the quantum registers (see Sec. HI). 



2. Cost of Shor's Algorithm 

We finally cvaluate the complexity of Shor's algo- 
rithm. The first QFT transform (step 2) is just a 
Hadamard operation applied bit-wise and its cost is 
0(log 2 iV). The modular exponentiation in step 3 con- 
sumes 0(log 2 N log 2 log 2 N log 2 log 2 log 2 N) time (Shor, 
1994). The second QFT gate (step 4) is, according to 
the results just mentioned, (9(log 2 N). Therefore the to- 
tal cost to determino the order r of a mod N, with a 
probability of success 0(1), is 0(log 2 +e N), any e > 0. 

Once r is determined, there remains to calculate 
gcd(a r / 2 ± 1,N) in order to find a factor of N. This 
arithmetical operation is more resource demanding, since 
it takes 0(log 2 N) time steps when Euclid's celebrated 
algorithm is applied. 57 

Altogether we end up with a total cost 0(log 2 N) for 
the completo factorization algorithm with high probabil- 
ity, 58 what represents in practice a subexponential gain 
over the classical best algorithms (QS, GNFS) known 
nowadays. 



E. On the Classification of Algorithms 

One of the most important issues in quantum com- 
puting is the design of quantum algorithms. There are 
known very few of them. Apparently, we are lacking the 
bàsic principies underlying the quantum version of algo- 
rithm problem solving. We want in part to address this 
question and we believe that one attempt to understand 
the bàsic principies of quantum algorithm design may 
proceed with the comparison with the known strategics of 
designing classical algorithms in Computational Science. 
This is suggested by the studies about the relationships 
between fundamentals of classi cal and qu antum compu- 
tations presented in Sec. 



VIII 



and Sec. IX A. In this 



with 



,2ttí/3 



regard, we need to distinguish between fundamentals of 
quantum computation and strategies for designing algo- 
rithms. Although the latter are still unknown, the former 
have been described in Tablc |v|. The fact that we can 
understand the fundamentals of quantum computation 
does not mcan in principio that we know the keys to set 
up quantum algorithms, although it can be of great help. 



57 Actually, a moro refined implementation of the gcd algorithm 
56 In contrast, the classical fast Fourier transform requires order (Knuth, 1981) reduces its cost to 0(log JV(log log N) 2 log log log N). 
0(K2 K ) elementary operations to transform a A"-bit vector (Press 58 Or better 0(log2 +e N), if the previous footnote is considered. 

et al., 1992). 
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FIG. 42: Implcmcntation of thc quantum Fourier transform with Hadamard and controllcd-phasc gates (up to a 
reversion of output qubits). By Uj we denote the unary gate Uj := |0)(0| + e 2m / 2J 11)(1|. For typographical reasons a 
factor 2 -1 / 2 has been omitted in each output qubit. 



Now let us come to the point of analysing the classi- 
cal strategies of algorithm design from the point of view 
of quantum computation. To this end, we shall consider 
the classification introduced by Levitin (1999) who has 
done a reformulation which includcs and categorizes in 
a nice fashion other classifications schemes (Brassad and 
Bratley, 1996). Following Levitin, there are four classical 
general design tcchniques which we shall dcscribc bricfiy 
by its definition and with a simple example to illustrate 
them. This example is the problem of computing a n mod 
p, which is of gr eat impo rtanc e in public-key encryption 
algorithms (Sec. VI, Sec. X.D). Then we have the follow- 
ing genèric types: 

1) Brute Force Algorithms 

It amounts to solving a problem by directly applying 
its crude formulation. Example: a n = a ■ a ■ ■ ■ a, n times. 

2) Divide-and-Conquer Algorithms 

The original problem is partitioned into a number of 
smaller subproblems, usually of the same kind. These in 
turn are then solved and their solutions combincd to get 
a solution of the bigger problem. This stratcgy usually 
cmploys recursivity in ordcr to obtain a greater profit. 
Example: a n = aL"/ 2 J ■ a L"/2j . a n-2\n/2\ _ 

3) Decrease-and-Conquer Algorithms 

The original problem is reduced to a smaller one, which 
is usually solved by recursion and the solution so obtaincd 
is applied to find a solution of the original problem. Ex- 
amples: a) a n = a n_1 • a (dccrease-by-one variety); b) 

a n = ( a L«/2j)2 jf n a n = ( a L™/2j )2 . Q jf „ odd 

(decrease-by-half variety) . 

4) Transform- and- Conquer Algorithms 

The original problem is transformed into another 
equivalent problem which is more amenable to solution 
with simpler techniques. Example: a n is computed by 



Classical Technique 


Algorithm Example 


Brute Force 


Searching the Largest 


Divide-and-Conquer 


Quicksort 


Decrease-and-Conquer 


Euclid's Algorithm 


Transform-and-Conquer 


Gaussian Elimination 



TABLE VIII: Classification of Classical Algorithms. 



cxploiting the binary represcntation of n. 

These four types of strategies have in turn several sub- 
types we shall not dwell upon. 

Table VIII contains these classical strategies with some 
well-known and less trivial examples of representative al- 
gorithms. There are important algorithms built upon a 
mixture of these bàsic techniques; for example, the Fast 
Fourier Transform employs both divide-and-conquer and 
transform-and-conquer techniques. 

Now, it can be quit e revealing to set up the quantum 
version of Table VIII by classifying the most useful of 
the so-far known quantum algorithms. This we do in 
Table EX. 



Several remarks are in order. 

Firstly, we have placed Grover's algorithm in the cat- 
egory of Brute Force algorithms. The strategy is similar 
to its classical counterpart, which is of Brute Force type. 
The difference lies in the fact that the quantum opera- 
tion is realizcd through a unitary operator which implc- 
ments the reversible quantum computation. 59 Although 



J By a similar rationale, we have placed Dcutsch-Jozsa and Si- 
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Quantum Technique 


Algorithm Example 




Grover s Algorithm 


Brute Force 


Deutsch-Jozsa' Algorithm 
Simon's Algorithm 


Divide-and- Conqucr 





Decrease-and-Conquer 





Transform-and-Conquer 


Shor's Algorithm 



TABLE IX: Classification of quantum algorithms. 



the Brute Force technique gives usually low efíicient al- 
gorithms, it is very important for several reasons. One is 
that there are important cases, like the searching prob- 
lem, whcrc the Brute Force method outperforms more 
sophisticated strategies like divide-and-conquer. We find 
Grover's algorithm as a realization of the Brute Force 
technique at the quantum level and this is why it is so 
simple and of general purpose at the same time. 

Secondly, we have included Shor's algorithm in the cat- 
egory of transfor m-an d-conquer algorithms. As we have 
cxplaincd in Sec. X.D, Shor solves the factorization prob- 



lem by reducing it to the problem of finding the period 
of a certain function in number theory, which in turn 
is solved with the aid of the fundamentals of quantum 
computation. Having realized this, we point out that the 
classical version of transform-and-conquer algorithms are 
very rare (Anany, 1999). This may explain why Shor's 
algorithm, although more powerful than Grover's, it has 
a more reduced range of applications. 



Thirdly, the most notorious aspect of Table IX is the 
absence of quantum algorithms based on the divide-and- 
conquer technique, which is by far the most general and 
used strategy in classical computation. This may partly 
account for the list of quantum algorithms being so short. 
Moreover, if we resort to the bàsic features of quantum 
computation (Table [y]) we may explain somehow why 
this entry is empty in Table IX . We know that a quantum 
register supports the superposition of many states at the 
same time. This implies that the qubits of the quantum 
registers are strongly correlated (entangled) and their 
joint state is not separable into a product of states of 
smaller subregisters. Thus quantum parallelism and en- 
tanglemcnt render unnatural any try to implemcnt the 
strategy of divide-and-conquer in a quantum register at 
least in a straightforward and naive fashion. 60 



XI. EXPERIMENTAL PROPOSALS OF QUANTUM 
COMPUTERS 

The great challenge of quantum computation is to 
build real quantum computers capable of implcmcnting 



1X| and of perform- 
In this section 



the quantum lògic operations of Sec. 
ing the quantum algorithms of Sec. 
we present some of the experimental proposals to this 
cnd. Some of these proposals have been actually car- 
ried out, and this is already a significant advance for it 
means that the theoretical construets can be checked ex- 
pcrimcntally. However, these devices are very modest in 
size and the real breakthrough will be to scale them up 
to sizes capable of doing tasks not yet done with classical 
computers, like code-breaking with Shor's algorithm or 
database searching with Grover's algorithm. 

Before giving an overview of a few experimental pro- 
posals, it is convenient to summarize what they all have 
in common. There is a genèric setting to build a quantum 
computer. 61 We basically need: 

i) any two-level quantum system, 

ii) interaction betwcen qubits, 

iii) external manipulation of qubits. 

The two-level system is used as a qubit and the interac- 
tion between qubits is used to implemcnt the conditional 
lògic of the quantum lògic gates (Sec. IX). The system of 
qubits must be accessible for external manipulations: to 
read in the input state and read out the output, as well 
as during the computation if the quantum algorithm re- 
quircs it. 

Interestingly enough, some of the possible qubits and 
quantum lògic gates have been with us since the early 
times of Bohr. For example, the quantum NOT-gate 
is obtained, at least in principle, either by exciting an 
atòmic ground state to an upper level with a photon 
of apppropriate frecueney and time length, or by in- 
duced emission. If the length of light pulses is halved, a 
Hadamard-likc gate will result. 62 Quantum computation 
has provided us with a new insight on these operations. 

There are several settings in which one can illustrate 
the very bàsics of realizing experimental quantum com- 
puters and seeing the above thrcc requirements in action. 
We shall choose as our qubit system a spin i massive par- 
ticle with magnètic moment, whose translational motion 
will be ignored. 63 Placing this qubit in a suitably oscillat- 
ing external magnètic field will allow us to theoretically 
implemcnt the unary quantum gates. 

We shall not dwell upon all the practical technicalities 
of the experimental proposals below but instead present 



mon algorithms in the same class 

60 A blend of classical and quantum algorithms might make room 
for a divide-and-conquer strategy. 



61 At least with our present knowledge. 

62 Strictly speaking, this halved- pulsc produces the action of the 
so-called pseudo-Hadamard gate. 

63 Other simple choices are the polarization of a photon, an 
atòmic system with just two relevant levels, etc. 
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the bàsic physical foundations undcrlying some of the 
quantum computers. 



1. One- and Two-Qubit Logic Gates with Spin Qubits 

This is one of the few examples where one can follow 
exactly the evolution of the quantum system, and it is 
versatile enough to let building some of the bàsic lògic 
gates. We present it as a preparation for more complex 
setups. 

Suppose that our qubit, a spin \ particle, has a mag- 
nètic moment fi = 7S, where S = \h<j is the spin op- 
erator. In the presence of a uniform but time-dependent 
magnètic field B(í) the qubit state \4>{t)} will evolve with 
the Hamiltonian H(t) = -7S • B(í) (Rabi, 1937): 



m-\m) =-7S-B(í)^(t)). 



(152) 



Whcn the magnètic field rotates uniformly around a 
fixed axis (say Oz), namely 



B(í) = (Bi cosuit, B\ smuit, Bo), 
|152| ) can be solved explicitly, witl 



(153) 



then Eq. (|152|) can be solved explicitly, with the result 
(Galindo and Pascual. 1990b): 

m)) = u(t)\m), 

U(t) := c-'^Ae-'K^'^^+^i'i]'/ 2 = (154) 
(cos \lüí — i(sin ^uit)a z )(cos ^iït — i(sin ^ilt)a'), 



where luq := — ~fBo,ui = — 7B1, SI := ((iüq — üj) 2 
is the so-called Rabi frequeney, and a' := íl 
Lü)a z + Wicrj. 



fa,?) 1 /* 



As the computational basis (Sec. LX.A) we will take the 
eigenvectors of a z : |0) := | \) (spin-up state), |1) := | j) 
(spin-down state). 64 

The probability of spin flip is one if and only if 
lü = lüq (resonance condition), hence = |u>i|, and ííl € 
2ir(Z +_k)- Whcn the oscillating part of the magnètic 
field (153) is resonant, i.e. it satisfics ui = lüq, then such 
field is known as a Rabi pulse. 

Let us see how to induce one-qubit operations using 
Rabi pulses of appropriate durations 



In view of 

and up to the global phase factor represented by Ph(<5) 
in ( p9| ) , it suffices to do it for the rotations R z (a) , R y ((3) : 
ajThe rotation R z (a) is emulated by taking a constant 
field along the z-axis and setting to zero the oscillating 
part (Bi = 0, i.e. íl = 0). The angle is simply a = 
T being the pulse length. The rotation R z (7) is obtaincd 
similarly. 



64 With this choice, |0) will be the ground state of the mag- 
nètic Hamiltonian provided that the spin corresponds to a posi- 
tively charged particle (7 > 0). 



b) To reproduce the rotation R y {f3) in the decomposi- 
tion (||), note that R y {f3) = R z (±Tr)R x (j3)R z (-±Tr), and 
that U(t) = R z (wt)R x (ttt). Therefore, to build R y {f3) it 
suffices to compose with suitable rotations around Oz, 
implcmented as above, the action of a Rabi pulse with 
OT = (3. 

For instance, a -k -pulse, i.e. a pulse with duration T = 
7r/Q, reproduces in the interaction picture a quantum 
NOT-gate (up to a global factor -i). 65 Similarly. a 
pulse produces essentially a Hadamard gate. 

So far we have manipulated externally the spins \ to 
produce one-qubit gates. To generate two-qubit gates 
we need a pair of interacting qubits at sites 1, 2. For 
simplicity's sake, let us assume the simplest possible type 
of interaction between them, namely, an Ising interaction: 



H 12 = -(71 S{ + ~/ 2 Sï)B z + 2{J/h)SlS^. (155) 
energy 



w 2 | + •/ 



|o>i| — ./ 



bol - J 



111} 

110} 

|01) 
|00) 



FIG. 43: Energy levels of a two-qubit spin system with 
Ising interaction (units h = 1). On the left, the non- 
interacting Zeeman levels, and on the right the levels 
perturbed by the Ising term (when uii < ui2 < — J < 0). 

The origin of the single spin terms ma y be the presence 
of an external magnètic field. In casc (155), this field is 
constant and directed along Oz, and the two spins may 
have different magnètic moments. The coupling constant 
J measures the spin-spin interaction. Dcfining the fre- 
qüències ují := —~/iB z ,i = 1,2, the eigenvalues of this 
Hamiltonian arc 



\h[{-l) x ^ x + {-1) X2 üj 2 + {-l) Xl+X2 J}, (156) 



where Xi = 0, 1, i = 1, 2. 



65 At resonance, the time evolution operator U(t) factorizes as 
U(t) = c -i^oí<^/2 e -ifii CTa! /2. The first factor represents the evolu- 
tion operator Uo(t) under the static magnètic field, whereas the sec- 
ond factor is just the total unitary propagator Uj(t) := Uq 1 (t)U(t) 
in the interaction picture. 
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Thcse energy levels are represented in Fig. [43| for ui < 
uj 2 < — J < 0. We clearly see that if we apply a ir- 
pulsc with frequcncy u = \lü2\ + J, the statcs |11) and 
1 10) get swapped while the rest are not excited. This 
is precisely what does a CNOT-gate with the first spin 
acting as control qubit and the second spin as a target 
qubit (Berman et al., 1997). 

Othcr useful two-qubit gates such as the controlled- 
phase gate (JT8|), that enters Shor's algorithm, can be 
built-up similarly using the Ising interaction. An explicit 
construction of this gate is the following (Jones, Hansen 
and Mosca, 1998) 



UcPh(4>) = exp (— ii<£[- 



Sï + Sï-2S(Sï}), (157) 



wherc S; 



k - 



for, as remarked in 



Of particul ar inte rest is the 
Sec. 



IX. B. with this 



casc <p = 7r 

controllcd gate plus two Hadamard gates (on the tar- 
get qubit) wc can reconstruet the important CNOT gate 



A. The lon-Trap QC 

The ion-trap quantum computer was introduced by 
Cirac and Zollcr (1995) and since then many other poten- 
tial and actual realizations of quantum computers have 
been pursued by many groups. The quantum hardware 
is the following: a qubit is a singlc ion held in a trap 
by làser cooling and the application of appropriate elec- 
tromagnètic fields; a quantum register is a linear array 
of ions; operations are effected by applying làser Rabi 
pulses; information transmission is achieved as a result of 
the Coulomb interaction between ions and the exchange 
of phonons from collective oscillations. We see again, at 
a very fundamental levcl, that information is physical. 
Using the Cirac-Zoller (CZ) techniquc it was possible to 
construct soon afterward a single quantum gate by Mon- 
roe et al. (1995). 

The ion-trap proposal has several advantages: it needs 
manipulation of quantum states that were already known 
from precision spectroscopy techniques; it has low de- 
coherence rates due to decay of excited states and the 
heating of the iònic motion; there exist very efficient 
experimental methods to retrieve the information from 
the quantum computer like the mechanism of quantum 
jumps. 



1. Experimental setup 

The geometry of a radio frequeney (RF) ion-trap or 
Paul trap is schematically shown in Fig. |4J. A RF Paul 
trap uses static and oscillating elèctric potentials to con- 
fine partides within small (~ 1 nia) regions. To obtain 
a string of ions forming the quantum register we need 
a quadrupole ion trap with a cylindrical geometry. The 
confining mechanism of ions is twofold: 




FIG. 44: Schematic geometry of a radio-frequeney 
quadrupole linear ion-trap. Làser beams address a string 
of ions in the middle of the setup with 4 linear rods and 
2 end-caps. 

i) A strong radial confinement, achieved by RF poten- 
tials generally produced with four rod elèctrodes. 

ii) An axial confinement achieved by applying a 
harmolic-like clcctrostatic potential through two end 
caps. 

The ions lie along the trap axis and their oscillations 
are controlled by the axial potential. The collective os- 
cillations of the string center of mass (CM) are used as a 
sort of computational bus, transferring information from 
one ion to another by phonon exchange. The dimensions 
of the ion-traps used by Los Alamos group are typically 
1 cm long and 1-2 mm wide (Hughes et al., 1998). 

Bcforc any computation takes place, the CM of the 
ion string must be set to its ground state. This is ac- 
complished by a làser cooling process that cools down 
the ions to the ground state of their vibrational motion. 
The result of this cooling is an ion string configuration as 
shown in Fig. |4^, crystallizing into a linear array which 
makes possible to address each ion individually by làsers. 
The inter-ion spacing can be controlled as a balance of 
the ion Coulomb repulsion and the axially confining po- 
tential (Wineland et al., 1997). 

Several kinds of ions (Be+, Ca+, Ba+, Mg+, Hg+, Sr+, 
etc.) and qubit schemes have been proposed. The CZ 
qubit {|0), |1)} is built using some appropriate electrònic 
ion states. For instance, Los Alamos group (Hughes et 
al., 1998) have chosen Ca + ions, whose more relevant 
levels are shown in Fig. E5[ The state qubits {|0), |1)} 
and one extra auxiliary levcl |2) (to be described below) 
are identified as follows (see Fig. |45| ): 



|0> = |4 2 S 1/2 



\3 À D 
\3 2 D 



5/2 
5/2 



Mj 

Mj 



(158) 



The level (4 2 S , 1 / 2 ,Afj = |) is the ground state while 
(3 2 -D 5 / 2 , Mj = |) is a metastable level with a long 
lifetime (1.06 s). Both the electric-dipole transition 
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energy 



auxiliar 



auxiliar 



4 2 P. 



3/2 



4 2 Pi/ 2 



397 nm 




4 2 5 1/2 



FIG. 45: Rclcvant cncrgy lcvcls in Ca + ions. 



4 2 5i/2 — > 4 2 P x /2 at 397 nm wavelength and the elèctric 
quadrupole transition 4 2 5i/ 2 — * 3 2 _D 3 / 2 at 732 nm are 
suitable for Doppler and sideband làser cooling, respec- 
tively. In Doppler cooling the làser radiation pressure 
slows down the axial motion of the ions until tempera- 
tures T ~ a few mK. To further reduce the temperature 
(T ~ a few fxK) until no phonons are present, one resorts 
to sideband cooling (Hughes et al. 1997). 

The interaction between CZ qubits is achieved using 
two types of degrees of freedom: internal (the electrònic 
states of the ions), and external (the vibrational states 
of their collectivc excitations). Thus, an active state for 
information processing is the tensor product of an elec- 
trònic state and a quantum oscillator state of the axial 
potential, namely, 



|*) = \x)\a),x = 0,1; a = g,e, 
wherc \x) refer to the electrònic levels and |g 



(159) 
e) de- 

note the ground state and first cxcited state of the vibra- 
tional motion, respectively. In |g) there are no phonons 
present in the system while there is one phonon in |e) 
(see Fig. ^). 

2. Làser pulses 

With this structure of states one can apply two types of 
làser Rabi pulses to the ions in order to achieve quantum 
lògic operations. These are called V- and [/-pulses: 

V-pulse. This pulsc implcments one-qubit operations. 
Its frequency is tuned to resonate with the optical tran- 
sition between the qubit states. It swaps the electrònic 
states |0) <-> |1) and leaves the vibrational mode in the 




l<>> 



FIG. 46: Schematic representation of the transitions gen- 
cratcd by the V- and [/-pulses. 



ground state |g) 
by this pulse is 



The unitary cvolution opcrator induccd 



(160) 



V{6,4>) :=&- HHv l h , 

H v := ±MÍ[e-^|l)(0|+e^|0)(l|], 

where 9 := Oi, Hy is the T^-pulse Hamiltonian, Í7 is the 
Rabi frequency (proportional to the squarc root of the 
làser intensity) , and <f> is the làser phase. Then, this pulse 
produces the following action on the electrònic states: 



V{9,cj>) 




|0) i-> cos f |0) -ie-^sinf |1), 
ie^ sin||0). 



cos||l) 



(161) 



U-pulse. This pulse is used to implement two-qubit 
operations. The làser frequency is now adjusted to in- 
duce simultaneously both an electrònic and a vibrational 
transition. To hclp pcrforming the desired lògic gates, 
an auxiliary electrònic state |2) (see Fig. [Ï6|) is available. 
The time evolution operator led by this pulse is 



U jt (K,4>):=e- itHo ^ K , x = l,2, 



(162) 



Hu{x) := ^Hr i n[e- i ' t '\x)(0\a + e^O)^^], 

where: Hjj is the [/-pulse Hamiltonian, k := Tyfíí, rj is 
the Lamb-Dicke parameter 66 and a) , a are creation and 
annihilation phonon opcrators satisfying 

(163) 



ot|g) = |e), o|e) = |g), [a,at] = l 



tl - 



Several physical constraints on these parameters in a lin- 
ear ion-trap are to be fulfilled for it to function stably 
and as required (Cirac and Zoller, 1995). 



66 This quantity is the ratio between the width of the ion oscilla- 
tion in the vibrational ground state of the rcgistcr and the (reduced) 
làser wavelength Ai/27r: r\ := (a/2AfM ion o; 2 ) 1 /2(2 7 r/A L ), where N 
is the number of cold ions, and oj z is the vibrational frequency of the 
register CM along the_trap axis. The Lamb-Dicke criterion i)<l 
is demanded for Eq. (162) to be a good approximation (Cirac and 
Zoller, 1995). For the Ca+ trap, with N ~ 10, u) z ~ 100 kHz, then 
rj ~ 0.2. 
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1.9} 
phonon 



b) 




Wi |i>«- 



\oh — ^-|o>, |o> 

Is) |e) 1.9) |e) 

f/-pulse 1 í7-pulse 2 



X 

j — 4í_|o)j |o), — A 



bc constructed similarly using theses bàsic pulse opera- 
{-l) Tl \x-i) tions (Cirac and Zoller, 1995). 

Lct us note that the 2ir auxiliary rotations in ( |165[ ) do 
not produce any population of the auxiliary atòmic levels 
nor the CM levels. Thus, a variation of the population of 
these levels by the gate operation would indicatc a faulty 
experimental realization. 

Upon completion of the quantum operations in the 
ion-trap QC, wc need to rcadout the outcome result 
(see Sec. EX). This is done by measuring the state of 
each qubit in the quantum register using the quantum 
jump technique (Nagourney et al, 1986; Bergquist et al., 
1986; Sauter et al., 1986). For instance, for the Ca + 



(-i)"- 4 * 1 !**) 



1.9) |e) 
?7-pulse 3 



FIG. 47: a) Quantum circuit for the controlled-phasc 
gate in an ion-trap QC. We denote by |p(a;i)) the phonon 
states p(0) := g, p(l) := e. Note also that the overall 
final phase is (~l) XlX2 , as it corresponds to a controlled 
phase (f> — 7r. b ) Ev olution of a state under the sequcncc 
of [/-pulses in ( 165 ). 



qubits (158), the làser is tuned to the dipole transition 
4 2 S'i/2 -» 4 2 P 1/2 at 397 nm (see Fig. ||). Now, there 
are two possibilities for the ion bcing addressed with the 
làser: i) if the ion radiatcs (fluoresce), this means that its 
state is |0); ii) if the ion docs not radiate (remains dark), 
then it was in the |1) state. Therefore, just by observ- 
ing which ions fluoresce and which remain dark we can 
retrieve the bit vàlues of the register. Actually, there is 
a third possibility in which 4 2 P 1 / 2 — * 3 2 D 3 / 2 - In order 
to prevent this metastable level from being populated, a 
pump-out làser is also requircd. 



The [/-pulse acts as follows: 



Ux(k, (j>) 




s|f |z)|g) -ie i<#, |sinf |0)| 



(164) 



3. Building lògic gates 



By cont rolling the duration of the làser pulses in (161 ) 
and (164) we can perform lògic operations in a fash- 
ion akin to those for spin qubits with Rabi pulses. The 
nice thing abouth the ion-trap QC is that the same Rabi 
pulses can drive conditional lògic when phonons are suit- 
ably put to work. 

For instance, a CNOT gate can be constructed using a 
series of V- and [/-pulses. To this end, wc first reproducc 
a 7r controlled-phasc ( fZ8| ) gate between qubits at sites i,j 
as follows: 



U&%) = 0)[/^(2^, 0)Uy(n, 0) (165) 

The explicit action of this squence of operations is shown 
in Fig. This two-bit gate is constructed only out of 
[/-pulses. 



Ai) 



rü) 



(i). 



In order to construct CNOT from this gate (see (79) 
Fig. |H) we need to resort to U-pulses, namely 



U, 



(i,j) 
CNOT 



VWfa,fr)ug&{*)VU)fa,±n) (166) 



where these U-pulses correspond to Hadamard gates. 
Other lògic gates involving a larger number of qubits can 



4. Further applications 

The ion-trap technique has also found applications 
in the preparation of cntangled states (Molmer and 
Sorensen, 1999). This has been experimentally realized 
by the NIST group (Sackett et al., 2000) with the gen- 
cration of cntangled states of two and four trapped ions. 
In Fig. ^ a 4-qubit quantum register used in these ex- 
periments is shown. 

Unavoidable errors put computational limits in ion- 
trap quantum computers. Sources of these constraints 
are the spontaneous decay of the metastable state, làser 
phase decoherence, ion heating and other kinds of er- 
rors. Using simple physical arguments it is possible to 
place upper bounds on the number of làser pulses Njj 
sustained by the ion trap beforc entering a decoherence 
regimc (Hughes et al., 1996), namely, 



1.84 



< 



2Z(r/ls) 



AV2i?3/2( A / lm )3/2 



(167) 



where Z is the ion degree of ionization, r is the lifetime 
of the metastable state, L is the number of ions and A 
their atòmic mass, F parameterizes the focusing capa- 
bility of the làser and A is the lascr wavclcngth. This 
bound depends on the ion parameters A and r, making 
some ion species more suitable than others. 67 With this 



67 The number Njj refers only to the number (7-pulses for they 
last much longer than the V-pulses, which are thus neglected. 
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Cory, Fhamy and Havcl (1997). They have been ad- 
dressed experimentally by several groups. Later, a time 
averaging formalism was introduced by Knill, Chuang 
and Laflamme (1997). 

The quantum hardware in this case consists of a liquid 
containing a large number of molècules of a certain type. 
A qubit is the spin of a nucleus in a molecule, and a quan- 
tum register is a molecule as a wholc, i.e., each molecule 
is an independent quantum computer; operations are ef- 
fected using nuclear magnètic resonance techniques (Rabi 
oscillations) and information transmission between nuclci 
is based on the spin interactions within each molecule. 




FIG. 48: Micromachined ion trap showing a four-qubit 
register in the inset (Sackett et al., 2000). 



bound it is possible to estimate the number of ions needed 
to factorize a 438-bit number using Ytterbium (with the 
transition 4f 14 6s 2 Si/ 2 ^> 4f 13 6s 2 2 Fx/ 2 , which has a very 
long lifetime (1533 days) and a wavclcngth of 467 nm). 
Around 2200 trapped ions and 4.5 x 10 10 pulses would 
be required to perform the sought factorization, in about 
100 hours of computation time (Hughes et al., 1996). 

Scalability of the ion-trap QC is a central issue if we 
want to have a real useful machine for number factor- 
ing and the like. With current techniques, it is believed 
that prospeets for reaching a few tens of qubits are good 
(Hughes et al., 1998). Cirac and Zoller (2000) have pro- 
posed an ion-trap based quantum computer with a two- 
dimcnsional array of independent ion traps and a diffcr- 
ent ion (head) that moves above this plane. This setup 
is still conceptually simple and it is believed to be within 
reach of present experimental technologies. 



B. NMR Liquids: Quantum Ensemble Computation 

We have seen that using spin qubits and spin reso- 
nance is a natural choice for doing quantum computa- 
tions. Nuclear spins are good candidates for spin qubits 
but they pose both theorical and experimental chal- 
lenges. There have been independent proposals to over- 
come these difficulties: the logical labelling formalism by 
Gershenfeld, Chuang and Lloyd (1996), Gcrshcnfcld and 
Chuang (1997), and the spatial averaging formalism by 



1. Spins at thermal equilibrium 

The choice of nuclear spins as qubits has several pros 
and cons. On one hand, nuclear spins in a molecule of 
a liquid are very robust quantum systems, for they are 
well screened from other sources of magnètic fields by 
the electron cloud that surrounds them. This results in 
decoherence times of the order of seconds, long enough 
to let quantum computations going on. On the contrary, 
in a liquid at finite temperature the nuclear spins form 
a highly mixed state, not a pure state as we have been 
assuming in the formalism for quantum computation in- 
troduced so far. Such formalism needs be modified ac- 
cordingly, by describing with density matrices the mixed 
states of spins and thcir evolution. 

A consequence of the finite temperature is that the pre- 
cise initial conditions of a particular nuclear spin are not 
known as required for Standard quantum computation. 
Instead, we can only know the probability of finding the 
spin in one of the two states |0) = 1 1) or |1) = | J.). In the 
following, we shall assume that the molècules in the solu- 
tion are in thermal equilibrium at some temperature T. 
Hence the density matrix describing the quantum state 
of the relevant nuclear spins in each single molecule is 



-0H 



P ■= 



Tr[c 



-I3H] 



(168) 



where H is the Hamiltonian of the system, fi = l/k^T 
the inverse temperature, and the trace is over any or- 
thonormal basis of the Hilbert space. Let us take the 
simplest case of a single spin qubit with a Zecman split- 
ting Hamiltonian H = uiS z , ui = — 7-Bo- Then, (16S) 
becomes 



Poo 

Pll 



e 0hu)/2 _|_ e -phuj/2 ' 

e /3ftw/2 
e 0huj/2 _|_ e -f3huj/2 ' 

P01 = = PlQ. 



(169) 



The diagonal terms of p represent the probability of find- 
ing the spin in the state |0) or |1). In contrast, the density 
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matrix of a puré state \tp(t)) := ao(í)|0) + ai(í)|l) is 

<v=-i*«*i-(!3£K?)· <™> 

Therefore we see that at finite tempcraturc and thcrmal 
cquilibrium, thc off-diagonal clements of the density ma- 
trix average to zero while they are non-vanishing for a 
genèric pure quantum state. 

2. Liquid state NMR spectroscopy 

To overcome thesc difficulties, the proposal for a NMR 
quantum computer takes advantage of the highly devel- 
oped tcchniques in liquid state NMR spectroscopy aceu- 
mulated for fifty years (Ernst et al., 1987). 

In a NMR liquid the molècules are in solution. In each 
molecule only some of its nuclei are active for doing quan- 
tum computation. When the qubits consist of atòmic 
nuclei of the same chemical element the molècules are 
called homonuclear, and heteronuclear otherwise. Exam- 
ples of homonuclear molècules are shown in Fig. likc 
the 2,3-dibromo-thiophcne where the active nuclear spins 
are those of the two Hydrogcn àtoms, or thc l-chloro-2- 
nitro-benzene with four active Hydrogcn àtoms. An ex- 
ample of heteronuclear molecule is the 13 C-labelled chlo- 
roform 68 in which the two active qubits come from the 
àtoms of Hydrogen and Carbon. The number of qubits in 
the working register narrows the choice of the molecule 
structure. 

B <3I B (2I 

H<^ / S \ ^Br \ / 

\\ // »'^/ \— « 

/ C ~\ ^ 
H (1 > Br / \ 

Cl NO 2 

a) b) 
cl 

Cl c Cl 

E 

c) 

FIG. 49: Some cxamples of molècules used in NMR 
liquid quantum computation: a) 2,3-dibromo-thiophcnc 
(homonuclear), b) l-chloro-2-nitro-benzene (homonu- 
clear), c) chloroform (heteronuclear) 



68 The nucleus of the most common isotope 12 C is spinless. 

Adding one extra neutron endows it with an ovcrall operative spin 
1 

2 ' 



An appropriatc experimental setup for NMR compu- 
tation is much like any other instrumentation used in 
NMR spectroscopy. In Fig. |Ü| the bàsic structure of a 
NMR spectrometer is shown. The liquid sample is held 
in a probe inside a radio-frecueney cavity subjected to a 
strong homogeneous magnètic field of around 10 T, usu- 
ally produced by a superconducting magnet. The RF 
cavity is tuncd to the resonance freqüències of the active 
nuclear spins. 




FIG. 50: Schcmatic setup of a NMR experiment 



In a typical sample there are N ~ 10 18 molècules 
in solution. The dipole-dipole interactions between the 
spins in differcnt molècules as well as other intermolcc- 
ular interactions average to zero due to the random ro- 
tational motion of thc molècules in thc usual time scale 
for controlling thc spin dynamics and the measurement 
(Slichtcr, 1990). Hcncc, only interactions within each 
molecule are observable and the sample can be regarded 
as an enscmblc of independent and mutually incoher- 
ent quantum computers. This reasonablc approximation 
yields a huge reduction in the large density matrix of di- 
mension ~ describing the whole ensemble of active 

nuclear spins, which may be replaced by a much smallcr 
density matrix of dimension 2™, where n is the number 
of active nuclei in a single molecule. 

Within each molecule, the total Hamiltonian H(t) of 
the active spins has two parts (Cory et al., 2000), one 
internal and another external: 

H(t):=H int + H cxt {t). (171) 

The internal Hamiltonian describes the interactions 
among spins within the molecule, while the external 
Hamiltonian controls the spin dynamics under Rabi 
pulscs. The operator H{ nt embodics: a) the molecule 
interaction energy with a strong homogeneous magnètic 
field that causes a Zeeman splitting of the nuclear spin 
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levels; b) thc spin-spin intcractions between active nuclei, 
modelled by a magnètic exchange interaction 2(Jy/7i)Sj ■ 
Sj mediated by electrons in molecular orbitals that over- 
lap both nuclear spins In most cases this interaction 
can be further simplified using the weak coupling aprox- 
imation \Jij\ <C \u>i — u)j\, which assumes that the spin- 
spin coupling is much smallcr than the Zeeman splitting. 
This simplification produces a scalar coupling of Ising 
type between the spins, and yields the following good 
approximation to the internal Hamiltonian: 



■ 'w<Sf +2 (Jij/tySfS*, 



i = l 



(172) 



wherc measures the coupling between the active spins 
at sites i,j, 69 and to i are the resonance freqüències for 
each spin. They are different even for homonuclear 
molècules due to the unlike screening of each nuclear 
spin from the surrounding elec trons. This effect is called 
chemical shift. Thus, in (172) the one-body terms may 
be used to distinguish qubits, while the two-body terms 
serve to implcment the conditional lògic of two-qubit 
gates. The vàlues of the parameters u>i and Jij are deter- 
mined by Standard NMR spectroscopy tcchniqucs prior 
to the computation. Standard NMR spectroscopy and 
NMR quantum computation share the means but diffcr 
in goals: in the former we aim to determine the parame- 
ters of the Hamiltonian (172) to study the chemistry and 



dynamics of thc molècules in solution, while in thc latter 



the form of (172) is already known and we set out to use 



it to perform controllcd lògic operations. 

The external time dependent Hamiltonian H cxt (t) 
helps to control the evolution of the spins. These form an 
ensemble of syste ms, initially described by the thermal 
density matrix p (|169|) and its time evolution is 



(173) 



P (t) = U(t)p(0)UÍ(t), 



where U(t) is the u nitar y propagator generated by the 
total Ha milt onian in ( 171 ) and p(0) is the thermal density 
matrix fll69|). 



Let us analyze step by step the approximation (174) 
for quantum computing. First, let us consider the case 
of a singlo spin. Thcn. thc density matrix is simply given 
by 



P\ 
Si 



2 - e l<>l, 

S*, ei := ^hwi /ksT, 



(175) 



where Si is called the deviation density matrix 70 and 
| e 1 1 ~ 10~ 5 at room temperature for conventional NMR 
liquids. Thus, the factor ei gives the strength of the 
NMR signal relative to background noise. This expres- 
sion can be further simplified by dropping out th e uni t 
term, which does not change under time evolution ( 173 ): 
in a NMR experiment the expectation value of an observ- 
able O is given by 



(O) = Tr(Op), 



(176) 



and, as it happcns, all NMR observables are traceless. 
Thus, all the information is in ei<5i. As ei enters only 
as an overall sealc factor, we can also drop it out in all 
this description and write the effective thermal density 
matrix simply as 



Pi ~ si 



(177) 



Now let us recali that for a qubit in the ground state 
or excited state the density matrices are 



Pic) = |0)(0| = i + ^, 
m = \l)(l\ = $-S', 



(178) 



and discarding the unit terms, we see that for NMR pur- 
poses the one-qubit states |0), |1), are equivalent to S z , 
— S z , respectively. The spin operators representing one- 
qubit states in this correspondence are called pseudo-pure 
or effective pure states. It also works for a superposition 
state; for instance, the pure state |\I>) = 2~ 1 / 2 (|0) + |1)) 
has a density matrix 



P|*) 



S x , 



(179) 



3. High temperature regime: pseudo-pure states 



The evolution of thc density matrix (168) is simplified 
in the high temperature limit k-gT 3> h~u>i, where the 
Zeeman splittings are much smaller tha n the Bolzmann 
energy. Then, we can approximate (168) as follows 



P ■ 



1-PH 
Tr(l - (3H) 



1 



0H 
2™ ' 



(174) 



Thus, in NMR quantum computing therc is no need for 
cooling down the system until reaching its ground state 
as in other types of QCs. 



equivalent to S x . Actually, the correspondence is one-to- 
one in the case of one-qubit states, for the density matrix 
of a single pure state ( |170[ ) is a Hermitean operator that 
can be expanded as a real linear combination of the Pauli 
matrices { 1 , cr x , a v , a z } . 

Then, the time evolution of a NMR density matrix is 
that of the spin i operators. When the external Hamil- 
tonian corresponds to a Rabi pulse, the transformation 
laws are simple. The evolution operator for a single spin 
with Zeeman Hamiltonian H\ := tküiSf is 



Uz(t) 



it^si = C0S (i Wlt )i _ 2isin(iw 1 t)5f, (180) 



9 In NMR spectroscopy Jij are typically ~ 100 Hz. 



3 Somctimes it is also called reduced density matrix. 
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whcnce the evolution of thc onc-qubit effective purc 
statcs: 



U z {t)SfUl{t) 

u z (t)sful(t) 

Uz{t)SlUÍ{t) 



cos(u;it)Sf + sin(o;ií)5f , 
- sin(wií)5f + cos(u;ií)Sf , 
SI 



(181) 



Thc Zccman propagator Uz(t) rotates the spin around 
thc z-axis an angle íp := u>]t. It is customary to use the 
spectroscopist notation to denote the unitary action of 
thc RF pulses in the rotating frame or interaction picture: 



-i<pSt 



, a = x,y, 



1,2,. 



.,71, 



(182) 



where tp is the rotation angle, a is the rotation axis, and 
i thc index labelling thc rotating qubit. Thus, the efïect 
of a [tt]i pulse 



-i-rrST 



is. 



SI 



-sí 



í.e 



-i 
-i 



|o)<o|Hi><i| 



(183) 



(184) 



Therefore, with a [n]f pulse effected on a non-interacting 
ensemble of singlc spins in thermal equilibrium, we can 
cffcctivcly simulatc thc quantum transition between the 
qubit states |0) and |1). In the thermal equilibrium en- 
semble, there is an excess of populated ground states with 
respect to thc populations of excited states. After apply- 
ing the pulse, the populations are reversed. Likewise, 
a [hir]i pulse produces off-diagonal terms in the density 
matrix at finite temperature that simulates quantum su- 
perpositions of pure states. 

For multiqubit states, the correspondence between 
pure states and spin density matrices is not so simple. 
Let us consider the case of two-qubit states. It is possi- 
ble to extend the description of multi-spin density ma- 
trix using the so-callcd product operator formalism by the 
NMR spectroscopists. Thus, the density matrix for the 
pure ground state \\&) = |00) is 

Pm := |00)(00| = |(i + SI + Si + 2SfSf). (185) 

In general, any density matrix can be expanded 
in a tensor product basis of one-spin operators 
{Sf,Sy,S?} i=1 ,... !n . For n qubits, 



P = 



E 



-ai ,. . . ,a n u i "' u n ' 



(186) 



c au ..., an :=2-"Tr(pa 1 Ql ...<") 



wherc ai = 0, x, y, z, and of := 1. 

This has the advantage that the evolution of the en- 
semble density matrix is then simply determincd through 



the evolution rules for single spin operators. The prob- 
lem that we face now is that the thermal equilibrium 
matrix in the high -temperature limit k-gT ^> fiWi for the 
Hamiltonian (|l72j ) is 



p 2 = \ - |S/3diag(u;i + uj 2 + Ji2,wi -w 2 - J12, 

- Wi + Lü 2 - J12, -U3\ -UJ 2 + J12), 



(187) 



which is further approximated assuming a weak coupling 
regime \uji - uj 2 \, | Ji,a| < l^i + ^|/2 to 



f>2 



e 2 (Sf+SI), e 2 :=\h{u Jl +üj 2 )/k B T, (188) 



and the corresponding deviation matrix S 2 := Sf + S% i s 
not equivalent to the initial quantum ground state (185) 
we want to simulatc. This is the initialization problem in 
NMR computing. 



4. Logic gates with NMR 



To prepare thc ensemble of spins in the referencial state 
(185) as well as to implement the logical operations for 
quantum processing, we need to resort to a series of well- 
known tcchniqucs in NMR liquid spectroscopy to carry 
out controllcd timc evolution of spins: 

i) Rabi pulses. The associated external Hamiltonian 
(171) corresponds to a harmonically oscillating magnètic 
field perpendicular to the Zeeman axis. It is applied at 
resonanec and its cffcct on a single spin in the z-direction 
is the following 



[<p]\ : Sí 1 — ^ cos{ v )Sl + sm(ip)Sf, [ ' 

where <p := Oí, t being the time duration and the Rabi 
frequeney. 

ii) Chemical- shift pulses. They act as the propagator 
gencrated by thc Zeeman part of the internal Hamilto- 
nian (171). Their effect on the spin operators is given by 

iii) S calar pulses. These induce the time evolution 
under the sealar coupling (two-spin) part of the inter- 
nal Hamiltonian (171). For two qubits labellcd 1,2, this 
sealar coupling propagator is also diagonal in thc com- 
putational basis: 

Uj(t) = e - i2Jl2tS í s í = cos(i Ji 2 í) - 4isin(i Ji 2 í)Sf S|, 

(190) 

and its effect on singlc spin operators is 

Uj{t)SfUl(t) - cos(J 12 í)S* + 2sin(J 12 í)S[Sf, 
Uj(t)SfUl(t) = cos(J 12 í)Sf - 2sin(J 12 í)SÏ ; S 2 z , (191) 
Uj(t)Sful(t) = si. 

The NMR spectroscopist notation for these pulses is 
[<p]{ 2 .-c-uJvtsïS^ (i 92 ) 
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where the rotation angle is (p — Jyït and the subscript 
denotes the spins involved in the sealar pulse. 

iv) Gradient pulses. This is the technique used in the 
spatial averaging formalism of Cory et al. (1996 ; 199 7). 
It consists in applying an externa! Hamiltonian (171) in 
the form of a field gradient along the liquid sample: 



rad 



i=l 



li{zd z B z ) z = Zi S! 



(193) 



where zi is the coordinate of the i-th spin in the sam- 
ple along the direction of the applied ficld gradient. 
This produces a spatially varying distribution of states 
throughout the sample. Its effect is to create a position- 
dependent phase shift with zero average, causing the van- 
ishing of non-diagonal elements of the density matrix. 
The notation for these pulses is [grad] 2 . 

This gradient method is used to selectively turn off the 
tranverse (x,y) spin factors in the product operator ex- 
pansion of the density matrix, while lcaving untouched 
the rest. For examplc, it is possible to inducc the follow- 
ing transformation 



[gradf :SÏ + S$»Sl 



(194) 



Now, the combincd effect of the following seri es o f 
pulses (Joncs, 2000) produces the reference stat c (185) 
starting from the thermal ensemble of spins (188): 7 



Sí + sí 

[n/3] 



:S 9 2 



5 rad] " 



sí 

[t/4]Ï 1 



1 



V2 

[t/2]Í 2 1 

" T2 



sí- 
sí 



1 

1 

" V2 



sí 



1 



2 

2SÍS| 



:S5 



(195) 



1 ^ \~Sl - \Sf + Í2SÍSI 

lg ^ r \si+\sï+\2srs* 2 . 



2 2 



Í2SíSf 



Once we have the reference state available, we can pro- 
ceed to effectively simulate other quantum states apply- 
ing series of pulses to producc the desired ensemble of 
spin states. For instance, the density matrix of the Bell 
state l't) = ( 1 00) + 1 1 1) ) / v^2 in the product operator for- 
malism is 



2S?Sf 



2SfS 2 y 



(196) 



'This sequence is not necessarily unique. 



which can be reached from the ground statc 1 00) with the 
unitary operator 



U 



3 -íttSÏS| 



(197) 



This propagator, in turn, can be simulatcd with the 
following series of NMR pulses (from right to left): 



■Ml 



P|oo> !->• (198) 



Likcwise, the controlled-NOT gate is simulated by the 
following sequence: 



[-Í7T 



2 L2 " J 1 L2 " J 12 L2 ' 



(199) 



In a similar fashion, one can implement other quan- 
tum states and lògic gates. Actually, this NMR pulse 
technique has been so highly developcd that it is pos- 
sible to simulate the propagator of a set of interacting 
spins with any desired couplings, even turning on and off 
certain spin couplings at will. For this reason, this capa- 
bility for controlling the NMR dynamics is referred to as 
spin choreography (Freeman, 1998). 

The logical labclling formalism of Gershcnfcld and 
Chuang (1997) uses a diffcrent strategy to preparo 
pseudo-pure states. It is bascd in the appropriatc embed- 
ding of a set of spin states into a larger system. It does 
not resort to field gradients but instead these auxiliary 
spin states are used to implement the quantum compu- 
tation with several qubits. There are also experimental 
realizations of this scheme (Vandersypen et al., 1999). 



5. Measurements 

Once the NMR computation is over, we have to read 
out the result from the spectrometer. This is done by 
measuring the macroscopic magnetization of the liquid 
sample with a detection coil (see Fig. |5(]). This bulk 
magnetization induces currents in the transverse RF coil 
which is tuned to the resonanec frequeney. The RF coil 
generates a dipole field and only the dipolar components 
of the density matrix oriented along the transversal mag- 
nètic field will couple to the measurement device. 

In com puti ng with NMR ensembles, measuring an ob- 
servable (176) cntails a perturbation softer than for pure 
states, where measurement is a strong projective process. 
The measured currents are proportional to the following 
trace (Cory et al., 2000) 



Tr 



Y,stp 



(200) 



with S+ := Sf+iSf. For instance, the signal ( J200| ) due to 
the precession induced on Sf,i = 1,2, by the chemical- 
shifts and sealar-coupling pulses acting on a two-nubit 
molecule such as the 2,3-dibromo-thiophene (Fig. p9| a)), 
is shown in Fig. EU This is the Fouricr-transformed real 
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part of the signal (Cory, Price and Havcl, 1997) and 
clearly shows the populations peaks corresponding to the 
4 states of a two-spin system depicted in Fig. [Ï3L This is 
called an in-phase doublet for both peaks have the same 
sign. For different series of pulses the pattern of the sig- 
nal changes accordingly and this allows to retrieve the 
information contained in the ensemble of states. Whcn 
implementing simple quantum algorithms with NMR líq- 
uid, spectroscopy, the output retrieval is performed by 
analysing a subset of resonances, but in morè general 
situations a technique called quantum state tomography 
is used to systematically obtain the final quantum state 
(Knill, Chuang and Laflamme, 1997). 
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FIG. 51: Schematic signal from a NMR liquid spectrom- 
eter corresponding to an in-phase doublet for a two-spin 
system with energy levels as in Fig. |43|. Notice that here 
the freqüències arc positive. 



6. Achievements and limitations 



There is an extensive list of experimental achievements 
in NMR quantum computing (Cory et al., 2000). Just 
to quote a few of thcm, two-qubit gates have been con- 
structed by several groups (Cory, Fahmy and Havcl, 1996; 
Chuang et al., 1997; Collins et al., 1999), the Toffoli gate 
has also been implcmcntcd (Pricc et al., 1999), as wcll as 
the quantum Fourier transform (Weinstein, Lloyd, and 
Cory, 1999), quantum teleportation (Nielsen, Knill and 
Laflamme, 1998), etc, and there are NMR experiments 
involving 7-qubits (Knill et al., 2000). An alternative 
approach to implcmcnt NMR quantum computation uses 
geomètric phasc-shift gates (Joncs et al., 2000) where the 
controlled phases are Berry phases. 

Dcspite the list of successes in NMR quantum comput- 
ing, there are currently strong limitations in the scalabil- 
i ty o f the pseudo-pure state preparation: it is clear from 
( 174 ) that the deviation density matrix used in high- 
temperature NMR seales exponentially down with the 
factor 2~ n . This is a severe limitation that reduces the 
ratio of the observable signal to the background noise. 
To overcome this inefficiency we would need an exponen- 



tially large system. 72 It is currently estimated that it 
is not possible to go well beyond 10 qubits using NMR 
liquid state methods. This and other shorthcomings has 
led to pursue other NMR-like proposals, but this time 
based on sòlid state samples (Cory et al., 2000), with the 
aim at using true pure states. The goals set for these 
proposals are to reach 10-30 qubits, still not far enough 
for competitive purposes. 

The use of mixed states in NMR computing and the 
fact that they are exponentially inefficient have raised 
doubts about the truly quantum nature of the compu- 
tations carried out by NMR liquid spectroscopy. The 
main objection comes from the result by Braunstein et 
al. (1999) showing that all the pseudo-pure states used so 
far in NMR are separable, with no cntanglcmcnt. This 
does not invalidatc the exponential speed-up obtained 
with the implementation of quantum algorithms. 73 



C. Solid-State Quantum Computers 

There are several proposals for building a quantum 
computer with some sort of solid-state device. We have 
just mentioned that a possible cure for the shorthcomings 
of bulk NMR liquid computation is prcciscly resorting to 
sòlid NMR tcchniques. One type of proposals uses macro- 
scopic superconducting devices with a radio frequeney 
SQUID as the qubit (Averin, 1998). The presence of 
or 1 quanta of flux is the two-state system. Several ways 
to couple the SQUIDs to make lògic circuits exist, like 
using Joscphson tunnel junctions (Makhlin, Schòn and 
Shnirman, 2001). Other type of designs rely on quantum 
dot nanotcchnology: Barenco et al. (1995) proposed us- 
ing both charge and spin degrees of freedom for qubits in 
quantum dots, addressed respectively with elèctric and 
magnètic fields. Loss and DiVincenzo (1998) also pro- 
pose using spin states of electrons in quantum dots as 
qubits. 

The list of experimental proposals is too large by now 
to be covered in detail. Instead, we shall focus on one 
of the most original proposals for doing solid-state quan- 
tum computation: this is Kane's idea (1998) for building 
a silicon-bascd quantum computer. This is an appealing 
program for Kane envisages the possibility of using the 
semiconductors used in most conventional computer elec- 
trònics for building also a quantum computer, although 
the challcngcs to achieve this goal are still enormous. 
The belicf though is that the silicon technology is a very 



72 Something that happcns in classical DNA computing (Adlc- 
man, 1994), where there is a trade-ofï between exponential comput- 
ing time for solving a problem and exponential space for molecular 
states. 

73 Whether working with separable states in NMR spectroscopy 
is a truly quantum computation or not is still a controversial issue 
(Jones, 2000). 
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rapidly dcvcloping ficld and there are chances to over- 
come those challenges. 

The quantum hardware in Kane's proposal is an ar- 
ray of nuclear spins located on donors in silicon. Then, 
a qubit is the individual nuclear spin of Phosphor 31 P 
àtoms; a quantum register is the whole array of 31 P 
dopants in Silicon 28 Si; operations are cffectcd using 
a combination of magnètic resonance techniques (Rabi 
pulscs) with static elèctric ficlds; information is cx- 
changed between nearby 31 P nuclear spins by means of 
the surrounding electrons. 



A ■ Gates J ■ Gates 




FIG. 52: Schcmatic dcsign of a silicon-based quantum 
computer pursued by the group of South Wales univer- 
sity. 



1. Semiconductors for quantum computation 

The choice of nuclear spins in this case is again moti- 
vated by their extremely well isolation from the environ- 
ment, like in the NMR proposal. A further requircmcnt 
now is that the dopant spins must not interact apprecia- 
bly with the spins of the host semiconductor. To guar- 
antee this we demand that the chemical elements of the 
host have zero nuclear spin S = 0, to avoid undesircd spin 
couplings. This singles out the semiconductor group V 
as a host candidate and removes other groups like III 
(with Ga) and IV (with As). Silicon 28 Si is an examplc 
of stable isotopc in group V. 

Unlike the NMR liquid spectroscopy, Kane's QC is nci- 
ther a bulk spin quantum computation nor resorts to 
macroscopic magnetization measurements. Instead, it 
truly needs addressing spins individually for initializa- 
tion and readout, and this is precisely one of the open 
challenges. 

The bàsic ingredient in Kane's proposal is to trade 
direct nuclear spin interactions by electrònic detections, 
which are likely to be easier to handle. Thus, the spin 



state of an individual nucleus dopant on a semiconductor 
will not be detected directly, but through its hyperfine 
interaction with the surrounding electrons. The hyper- 
fine interaction is proportional to the probability density 
of the electrons at the nucleus. The electrònic cloud is 
sensitive to elèctric voltages and can in principle be exter- 
nally manipulated. Moreover, in certain cases the elec- 
trònic wave functions extend far enough so as to overlap 
with a ncighbouring atom, thereby producing an indircet 
coupling between nuclear spins mediated by the atòmic 
electrons. This indirect electron coupling can also be en- 
hanced by applying external elèctric fields. 

These conditions are met by shallow level donors like 
31 P, for which the range of the electron wave function 
is of order 10-100 À. In addition. within the group V, 
the only shallow donor in Si with nuclear spin S = \ 
is precisely 31 P. Thcrcfore, the 31 P:Si systcm is a good 
candidate for a silicon based quantum computer. For 
instance, at low 31 P concentrations and low temperature 
T = 1.5 K, the electron spin relaxation time is order 10 3 
s, and the nuclear spin relaxation time is over 10 hours. 
If the temperature is further reduced to T ~ mK, the 
phonon limited 31 P relaxation time is likely of the order 
of 10 18 s (Kane, 1998). 



2. External control fields 

We see that in Kane's idea the electrons play a role sim- 
ilar to phonons in the Cirac-Zoller gate: they both medi- 
ate the conditional interactions between the real qubits. 
Likewise, we also need external elèctric fields to bring 
dopant nuclei close enough to interact. In all, we need to 
control three types of external ficlds: 

1) Electric gates above the donors to control individual 
electrònic states (see Fig. [52| ). 

2) Electric gates between the donors to control inter- 
actions between qubits. 

3) Constant B and oscillating B ac magnètic fields to 
execute operations on the individual spins much akin to 
those we have described for nuclear spin resonance. 

The scenario for replacing a Si vacaney by a P dopant 
atom is possible because both elements have similar sizes. 
Of the five outer (3p) electrons in a 31 P atom (one more 
than in Si), four of them will form covalent bonds with 
neighouring Si àtoms, while the remaining fifth electron 
is loosely bound to the 31 P atom. This outer electron and 
the rest of the dopant atom bchave in first approximation 
as a Hydrogen-like atom embeddcd into a Si environment. 
At low temperatures, the electron state is ls and this 
yiclds a large hyperfine interaction. The effectivc Bohr 
radius is estimated at 30 À. To proceed with the quantum 
computation we need this electron to remain in its ground 
state, and to apply an external constant magnètic field 
to break the spin degeneracy. These conditions are met 
if 2/íb-B ^> &bT, as f° r the typical vàlues B > 2 T and 
T < 100 mK. 



08 



3. Logic gates 

The dcscription of the bàsic gate operations is the fol- 
lowing: 

i) One-qubü A-gate. The terminology is due to the 
A coupling constant of the hyperfine interaction between 
nuclear and electron spins. Singlo spin control is achieved 
by externally changing the voltage on a gate elèctrode 
(A-gate) located on top of each nucleus (see Fig. 52); 



V = 



V > 



spin-flips are then driven by a Rabi pulse tuned to the 
resonancc frequcncy for the particular spin. 

The one-qubit Hamiltonian H\ modelling the interac- 
tion between the nuclear spin (denoted by n) and the 
electrònic spin (denoted by e) in the presence of a con- 
stant magnètic ficld B is 



Hj. :=H hZ + (A/h 2 )S nA -S eA , 



Hi, 



(201) 



where S ni i, S e ,i are the nuclear and electron spins, 
7nS n .ij 7cS ,i their corresponding magnètic moments, 
and 



.4 



8?r 



7n7e|1'(0)| 2 , with 7» := h ln ,% := h lc , (202) 



is the contact hyperfine interaction encrgy, with ^(O)! 2 
the probability density of the electron wave function at 
the nucleus position. Note that % = — 5eMB;7n = ffnMN, 
where g c = 2, g n w 2 x 1.13 are, respectively, the rele- 
vant electron Landé (/-factor and the nuclear gyromag- 
netic factor in 31 P:Si. Undcr opcrating conditions the 
electron remains in its ground state, and the separation 
of the nuclear spin levels is, to second order in the hy- 
perfine coupling A <C 7n-B: 74 

A A 2 

huj A = %B + --——. (203) 



A%B 



In 31 P:Si, A/2h = 58 MHz and therefore A > %B for 
B < 3.5 T. We can have control over this energy gap 
with the static elèctric field applied with the A-gate (see 
Fig. p2| ). This shifts the electron wave function away 
from the nucleus (see Fig. |53| ) and reduces the hyperfine 
interaction A in (202). Thus, the frequcncy (203) of the 
nuclear spins is controlled externally and this allows us 
to bring them into resonance with the oscillating pulse 
.B ac in order to effect arbitrary one-spin rotations. 

ii) Two-qubit J-gate. The name is suggested by the J 
spin-exchange coupling between electron spins. Condi- 
tional lògic operations are possible because of electron- 
mediated interactions between the nuclear spins of two 



74 We have also approximated —"/ e B + 7 n B by —^ e B in the de- 
nominator of (20í). 



A-gate 



A-gate 



Barrier 

Si~ 



Barrier 



31i 



FIG. 53: Pictorical representation o f an A-gate that con- 
trols the nucleus-electron system (201). An externally 
applied elèctric field shifts the electron wavefunction from 
t he d onor 31 P, reducing the contact hyperfine interaction 

(pol). 



Kane's qubits when brought sufficiently close by an ex- 
ternally applied voltage ( J) gate (see Fig. |2|). The two- 
qubit Hamiltonian is then 



(204) 



i=l 



wher e Hí z are the Zeeman Hamiltonians for each qubit 
(201), Ai are the hyperfine couplings for each nucleus- 
electron system and J is the exchange coupling inter- 
action between electron spins. This exchange energy 
depends on the ovcrlap of the electron wave functions. 
Treating the 31 P dopants as Hydrogen-like àtoms in first 
approximation, the J coupling can be estimatcd for well 
separated donors as (Herring and Flicker, 1964) 

B/2 



J(r) ~ 1.6- 



3 — 2r/as 



(205) 



with r the inter-donor distance, e = 11.7 the Si diclcctric 
constant and ob the Bohr radius of the atom. As the 
J coupling depends on the electron overlapping, we can 
use again a voltage gate between the donors to distort the 
electron clouds in order to control their coupling strength 
(see Fig. |S4|) . This coupling will be significant when J ~ 
\%\B/2 and this corresponds to a donor separation of 
order 100-200 À (Kane, 1998), which is not far from the 
current limits of atom-scale lithography. 

The relevant energy levels for doin g qu antum computa- 
tion with a two-qubit Hamiltonian ( 204 ) are easily found 
(Berman et al., 1999). This Hamiltonian is a 16 x 16 
matrix. We shall label the basis states with the compo- 
nents of the nuclear and electron spins at each donor site, 
with |0) n , |l) n denoting nuclear spins (up and down) and 
I T)e, I 4)c for the electron spins; for instance, 

|ll)„IU)c (206) 

represents a state with both nuclear and electron spins 
down. 

In the presence of a static magnètic field and for low 
temperatures (k-gT <C 1%1-B), the electrons remain with 
the spins down polarizcd | [[) e - For example, B = 2 T, 
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FIG. 54: Pictorical representation of a J-g ate t hat con- 
trols the nucleus-electron-nucleus system ( (204| ). When 
the electrostatic potentitial of the J-ga te is off (a)) or on 
(b)). the J-exchange coupling in (204) gets reduced or 
cnhanccd, rcspcctively. 



T = 100 mK meet this requirement. However, we shall 
see that switching the J-gate on may change such state, 
which will be the basis for doing spin mcasurements. 

The essence of the functioning of the J-gate is to 
enhance the ovcrlap betwccn the clcctron wave func- 
tions of two nearest 31 P donors. In this way, the 
31 P nuclear spins (Kane qubits) can be indirectly cou- 
pled one another through the electron mediated interac- 
tion J. To perform two-qubit quantum lògic gates, we 
need to address individually the 4 nuclear spin states 
{|00) n , |01) n , |10) n , |ll)} n - For simplicity, we assume 
A\ = A2 = A. In the abscncc of J-coupling the states 
|01) n | ll)ej |10) n | ïi)c are degenerate. These states be- 
long to the sector of total z-component of spin S* ot := 

+ %n) + (Sí,e + ^f.e) = The role of the J "g ate 

is precisely to control this energy splitting, which we now 
try to estimate. 

Let us consider the Kane implcmcntation of the 
CNOT-gate (Goan and Milburn, 2000). There arc four 
steps involved: 

1/ We start with J = A2 — A\ — 0, so that the states 
{|00) n | U)c |01) n | ||)e, |10)„| U)c |H)n| UU have ener- 
gies 



|oo> n |u> 
|oi)„|U)o 



E \U)r.U)e Z 



= -V / (-7e+7n) 2 S 2 +A2 
= E \10)n\ll)e = 

B ~ V (-% + ïn) 2 B 2 + A 2 ), 
-~ (7c - ïn)B 



(207) 



\A. 



2 / Next one introduces a bias between the two ^4-gatcs 
by adiabatically switching on a differcncc AA := A\ — 
Ai in their couplings, whilc kccping still J = 0. This 
splits the degeneracy of the |01) n | J,|) e , |10) n |||)c states, 
allowing us to choose one as a control qubit and the other 



as a targct qubit. The energies in ( |207| ) become 
Eu 



W„|u>o 



\W(-Ï C + %) 2 B 2 + A{ 
+ ^{-% + %YB 2 + AD - \{Ar + A 2 ), 



- B |01>„|ii)e = ~l AA 



+ i((7o + %)B - v/(-7e + 7„) 2 S 2 + Al), ( 208 ) 



E 



E\i 



|io)„|U)c 

è((7e 

,U)e 



ÍAA 



(% ~ %)B + 



7e+7n) 2 S 2 +A 2 ), 

j(A 1 +A 2 ), 



and the corresponding eigcnstates are still {|00) n | lí)c, 
|01)nU4)c, |10) n |U)e,|ll} n |U)n}, prcdominantly. 

3/ Once the two qubits are distinguishcd cncrgctically 
it is time to introduce, again adiabatically, the J-coupling 
to bring the states |10) n and |01) n to the symmetric and 
antisymmctric combinations, namely 



|10)„ 
|01)„ 



2- 1 / 2 (|01) n + |10) n ), 

: 2- 1 /2 ( |0l) n - |l ) n ). 



(209) 



For this purpose it is necessary to keep J at full strcngth 
before switching off adiabatically AA. 

The energies of the new eigenstates both in presence 
of A- and J-couplings, with AA = 0, can bc computed 
exactly by diagonalizing í/12 in the sectors of fixed total 
3th component S^ ot of the spin, since this is a conserved 
quantity. Only the vàlues S^ ot = —2,-1,0 are relevant 
for our discussion, since our initial states lie there. First 
we need to know the energy splitting frwj between the 
symmetric and antisymmctric qubit states in the sector 
5 t z ot = —1. Second, to control the Rabi pulse in the 
coming step, the gap energy ?kj ac between |s) n | ||) e and 
|H)n|J.|)c must also be known. 

To calculate huj we use the reduced basis 

{|01)„|U)c, |10)„|U)c |ll>n|iT}e, |ll}n|U)c} (210) 

to express the Hamiltonian i/12 in the sector S^ ot = — 1 
as the following matrix 



ff(-i) - 
fjJ + %B 







\J + %B 




7-4 



■U + %B ij 



(211) 



As Ai = A 2 = A, the two-qubit Hamiltonian is sym- 
metric under the site labels and its eigenvectors can ei- 
ther be symmetric or antisymmetric under this exchange. 
The two symmetric (unnormalized) eigcnstates are given 
by 



|s,±) := 

(ïnB 



y-E St± )\ s ) n \u) e 



è^|oo)„|s) 



(212) 
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whcrc 



|s)e :=-^(UT>e + |U)e), 



E s ,± ■■= |(7e + %)B + \ J ± + ïn) 2 B 2 + A*. 

(213) 

Similarly the two antisymmetric (unnormalized) eigen- 
states are 



|a,±) 



(-%B - i J + £ a ,±)|00) n |a) c - ÍA\a) n \U) t 



(214) 



with 



|a) :=-^(|4T)c-|U)c), 
E a ,± :=i(7c + 7n)B- |J 

±èV((-7c+7n)B- J) 2 +A 2 . 



(215) 



£/2| 7e |B 




0.4 0.6 

J/2| 7e |B 

FIG. 55: Energy levels for a two-donor interacting sys- 
tem as a function of the exchange coupling J, for A = 
0.2\%B. 



In Fig. the energies E a> ±,E a> ± are plotted against 
the exchange coupling constant J. For a two-electron 
spin system with antiferromagnetic coupling (J > 0), 
the exchange interaction lowers the energy of the spin 
singlot with respect to the triplets. When the static mag- 
nètic field is applied, the electron ground state is \ U) c 
for J < |7c|-B. The exchange coupling can be increased 
adiabatically by extcrnal manipulation of the J voltage 
gate. For J > |7 e |S, the electron ground state is the 
singlot. The value J = |7o|-B corresponds to the case 
where levels £„ i+ and E s ._ avoid their crossing (Fig. 55). 
The energy splitting to be controlled with the J-gate is 
hwj := -B s ,- — -Eq.- , whic h can be estimatcd using the 
exact formulas Q213| ), (215) and treating the hyperfme in- 
teraction as a small perturbation (assuming J < |7 C |_B): 



frequency. This is roughly the rate at which binary oper- 
ations can be performed in the purported quantum com- 
puter. Recali that the speed for individual spin opcra- 
tions is determined by the oscillating field B ac , and this 
speed is comparable to 75 kHz when B ac ~ 10~ 3 T. 

To calculate finally the gap huj ac , we just need the en- 
ergy of the state |ll) n | I4)e which lies in the trivial sector 



£|ii)„IU)c = (Te + %)B + \J+ \A. 



(217) 



4/ The moment is right to enforce the CNOT oper- 
ation. This amounts to swap the states |s) n and |ll) n) 
which are well separated in energies by previous steps, 
while leaving the two other states untouchcd. To this 
aim, it sufficcs now to apply a Rabi pulse H ac (t) := 
— 7n(<S'n i + ^n 2)^0 sinw ac í rcsonant with the separation 
energy between the states to be exchanged. Although 

the gaps £jn> n |j4) e - E \s)„\n) a and -B|a) n |ü) - £|oo) n |U) c 
are very close one each other, however the spin part of 
the magnètic interaction H ac (t) only couplcs in first or- 
der the states |s) n and |ll) n and thus it docs not affcct 
essentially the states |a) n and |00) n . To complete the 
CNOT-gatc one applics backwards the steps 3/, 2/ and 
1/ (sce Fig. ||). 

Other computer operations such as spin measurements 
and initialization of the quantum register are also based 
on the adiabatic manipulation of the A- and J-voltages. 
The undcrlying idea has been to correlate nuclear spin 
states adiabatically with states of electron spins, which 
in turn are affect the symmetry of the electron orbital 
wave function (Kane, 2000). 

Unlikc the QC proposals based on ion-traps or NMR 
spectroscopy, the silicon-based QC has not been yet im- 
plemented experimentally. 75 This will require nanofabri- 
cation at the atòmic scale involving at least specialized 
tcchniques such as quantum electrònic measurements 
with Single Electron Transistors (SET) for addressing 
individual qubits, atom-scale lithography to place Phos- 
phorus donors in a Silicon crystal with near-atomic pre- 
cission, combined with electron beam lithography for 
building the quantum array of qubits, etc. (Kane, 2000). 
It remains an open issue whether the current develop- 
ments in these technologies will be enough to build a 
Kane quantum computer. 



XII. CONCLUSIONS 

Although this may look an extensive review, the field 
has grown at such a pace that it is not possible to cover 
in detail all the interesting developmcnts going on, and 



A 2 ( 1 1 \ 

fyjj j ~ j J (216) 75 There is a funded project in the Semiconductor Nanofabrica- 

4 W^^B — J \je\B ) tion Facility of the South Wales University (Austràlia) for building 

a Kane's quantum computer. 

For the 31 P:Si system at B = 2 T and J/h = 30 GHz, 
(216) gives vj = 75 kHz as the nuclear spin exchange 
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FIG. 56: Implcmcntation of the CNOT-gate in a Kanc 
quantum computcr as describcd in stcps 1/-4/ in text 
(time t runs along the horizontal axis). In a) the exter- 
nally driven couplings are shown, and in b) the qubits 
energies are plotted, conveniently shifted by E i— > E — 
%B - \J. 



many have been left out. Just to mention a few of them: 
universal sets of fault-tolerant quantum gates, a thorough 
study of decoherence problems, quantum erasure, furthcr 
experimental proposals for quantum computers, etc. 

We share the bclief in the mutual bencfit of the sym- 
biosis between quanta and information. The very knowl- 
edge of the foundations of physics can bcnefit from the 
theory of information and computation (Landauer, 1991; 
1996). We have reviewed some of the aspects coming out 
from the fruitful idea that information is physics. We 
could further speculate all the way around: physics is 
also information. It might quite well be the case that 
a fundamental theory of physics could be based on the 
notion of qubit from which all the rest would be derived 
(Wheelcr, 1990; Zeilinger, 1999). 

We have made an effort to present both classical and 
quantum aspects of information and computation. Clas- 
sical aspects have been traditionally linked to computcr 
science, of interest both to computer and electrònic engi- 
neers, and to mathematicians addrcssing its theoretical 
and abstract foundations. Quantum aspects, on the con- 
trary, have been almost uniquely associated to quantum 
physicists. Thus, each community finds its own barrier 
in order to jump over and to enter the field of quan- 
tum computation: an engineer lacks frequently the neces- 
sary training in quantum theory while most physicists are 



not used to deal with elementary aspects of information 
and the insides of a real computer. These shorthcomings 
makc traditionally dimcult to bring together both type 
of researchers. Our work is aimed in part at setting up 
a bridge between both communities in the belief that it 
will be rcwarding for both of them. We are confident 
that after this quantum information revolution time will 
be ripe for quantum mechanics to be taught regularly 
at engineer schools, and for information theory to figurc 
among background courses in physics. Moreover, by pre- 
senting a brief account of the experimental realization of 
quantum computers we also stress the close relationship 
with other particular fields like condensed matter and its 
many branches, specially with the area of strongly corre- 
lated systems. 

There is currently a big interest in building real quan- 
tum computers, capablc of doing non-trivial tasks. Also, 
a bunch of new proposals have been presented and this 
trend is likely to continue. Each physical system or in- 
teraction in nature is scrutinized as a possible realization 
of a quantum computcr. Marvelous machines, like air- 
crafts, were envisaged in the past by Leonardo da Vinci; 
he describcd them on a piece of paper and were not ac- 
tually built up until hundreds of years later. Likewisc, 
nowadays we find theoretical designs of prospective quan- 
tum computers. We hope that in the case of quantum 
computers this process will not take that long. At least 
for the current modest realizations the elapsed time has 
been short. Even these modest realizations are remar k- 
able since they allow for testing some of the theoretical 
principies. 

Now we come necessarily to an end. And we close with 
a grand query. We have talked about a large variety of 
computer machines: classical - both sequential and par- 
al·lel machines of many types - and quantum mechanieal 
- both theoretical and experimental. Yet, there is a mar- 
vcllous machinc which plays a paramount rolc in all thosc 
constructions, because after all, it is the one that has de- 
viscd them all. And thus, it is also natural to ask: what 
type of computer machine is the human brain? 
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B92: Bcnnctt 1992 

BBPSSW96: Bennett-Brassard-Popescu-Schumacher- 

Smolin-Wooters 1996 

CPU: Central Processing Unit 

E91: Ekert 1991 

ECCC: Error-Correcting Classical Code 

EDP: Entanglcmcnt Distillation Protocol 

EPR: Einstein-Podolsky-Rosen 

GNFS: General Number Field Sieve 

LOCC: Local Operations Classical Communications 

MIPS: Million Instructions Per Second 

NDTM: Nondeterministic Turing Machine 

NMR: Nuclear Magnètic Resonance 

NP: Class of nondeterministic polynomial-time problems 

P: Class of deterministic polynomial-time problems 

PKC: Public Kcy Cryptography 

PTM: Probabilistic Turing Machine 

QC: Quantum Computer 

QECC: Quantum Error Correction Code 

QFT: Quantum Fourier Transform 

QKD: Quantum Kcy Distribution 

QTM: Quantum Turing Machine 

RF: Radio Frequcncy 

RSA: Rivcst-Shamir-Adlcman 

TM: Turing Machine 

VNM: Von Neumann Machine 



APPENDIX: COMPUTATIONAL COMPLEXITY 

Thcrc arc non- solvablc problems likc thc halting prob- 
lcm of TM (Sec. VIII. A ). In fact, their number is un- 
countablc. On the other hand, solvable problems can 
be classified according to their difficulty. There are easy 
problems (computationally tractable) , like computing the 
determinant of any n x n matrix, and there are diffi- 
cult problems (computationally hard or untractable) , like 
computing the permanent of the same matrix. 76 

The complexity classes have been devised to group 
solvable problems according to their degrcc of difficulty. 
Three aspects are addressed (Nielsen and Chuang, 2000) 
: 1/ time or space resources required by its solution, 2/ 
the machine used in its solution (DTM, NDTM, PTM, 
or QTM), and 3/ the type of problem (decision, number 
of solutions, optimization, etc). 



A. Classical Complexity Classes 

Whcn thc computation is done with DTMs or NDTMs, 
the relevant classes are the following (Papadimitriou, 



1994; Wclsh, 1995; Yan, 2000; Salomaa 1989; Li and 
Vitànyi, 1997) : 77 

i/ Class P (Polynomial), containing those problems 
that a DTM solves in polynomial time, i.e., the time taken 
for the DTM to find the solution increases at most poly- 
nomially with the length n (in bits) of the initial data. 

Examplcs: 1/ arithmctic operations such as the addi- 
tion and multiplication of integers, 2/ Euclid's algorithm, 
3/ modular exponcntiation, 4/ computation of determi- 
nants, 5/ sorting a list (SORT), and 6/ multiplication of 
of points on elliptic curves by large integers. 

ii/ Class NP (Nondeterministic Polynomial), contain- 
ing those problems that a NDTM solves in polynomical 
time. 78 

As there are not NDTMs in practice, it is convenient 
to know this other equivalent characterization of the NP 
class in which only DTMs are involvcd: a problem is NP 
if, given an arbitrary initial data x of binary length n, 
it admits any succint certificate or polynomial witness y 
(i.e., of polynomial length in n), such that there exists 
a DTM which, with those data x, y, can solve the given 
problem in polynomial time in n. 

Clearly, P Ç NP. A central conjecture in computation 
theory is P £ NP. 

Examples: 1/ the DISCRETE LOGARITHM problem 
(computation in Zn of the solution x to a x = b mod N) , 
2/ the PRIMALITY problem (given N, is it prime?), 
3/ COMPOSITENESS, complement to PRIMALITY 
(given N, is it composite?), 4/ the FACTORIZATION 
problem (find the decomposition of N into prime fac- 
tors), 5/ thc satisfiability problem SAT (check whether 
a given Boolcan expression <p in normal conjunctive form 
4> = /\" Cj, C l := ZíiVz í2 V. . .Vz iri , with z tj e 
Boolean variables or their negations, is satisfiable, that 
is, there exists a choice of variables that make <fr true), 
and 6/ the traveling salesman problem TSD(D) (given n 
cities, their mutual distances dij > and a cost or "travel 
budget" , find whether there exists a cyclic permutation 

7T SUCh that J2i=l ^i,ir(i) — C)- 

FACTORIZATION is NP sincc it is apparcnt that 
given N, and the succint certificate consisting of its prime 
divisors, the decomposition of TV into primes is trivial and 
of polynomial cost. 

iü/ Class PSPACE (Polynomial Space) (NSPACE, 
Nondeterministic polynomial Space), containing those 
problems that some DTM (NDTM) solves in polynomial 



76 The definition of the permanent is similar to the determinant. 
In fact the only difference is the missing sign of the permutations. 



77 Although the complexity classes P, NP, etc, that we shall con- 
sider here usually contain only decision problems (problems whose 
solution is cither YES (1) or NO (0)), we shall implicitly cnlargc 
them by including other computational problems, scarching, etc, 
which arc defined in a similar fashion to decision problems by means 
of the costs in time or space invested in its solution. 

78 As there may be several computational pathways leading to 
the solution, the one of shortest duration marks thc cost (Salomaa, 
1989). 
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space, i.e., using a number of celis that grows at most 
polynomially with the length (in bits) of the initial data. 

It is known that NP Ç PSPACE = NSPACE. 

Examples: 1/ In the two-players game GEOGRAPHY, 
player A chooses the name of a city, say MADRID, and B 
has to name another city, like DUBLÍN, starting with the 
last letter D of the previous city; then the turn is on A for 
naming another city starting with N, like NEWYORK, 
B says next KYOTO, and so on and so forth. The cities' 
names must not be repeated. The loser is the player who 
cannot name another city because there are not more 
names left. The GEOGRAPHY problem is: given an 
arbitrary set of cities (strings, all different, of alphabet 
symbols), and A's initial choice of one of them, can A 
win?. It can be shown that GEOGRAPHY is PSPACE 
complctc. 79 2/ Also the game GO suggcsts a GO problem 
onnxn boards and the associated question of whcther 
there exists some winning strategy for the starting player. 
This GO Problem is likewise PSPACE-complete. 

iv/ Class EXP (Exponential) (NEXP, (Nondetermin- 
istic Exponential)), containing those problcms that some 
DTM (NDTM) solves in exponential time, i.e., a time 
that grows at most cxponentially with the length (in bits) 
of the initial data. 

Examples: Consider the problems related to the games 
GO, CHECKERS and CHESS on n x n fields: are al- 
ways there winning strategies for the first player? Sincc 
the number of movements to analyse grows exponentially 
with the board size, such problems are in EXP. Further- 
more, it is believed that they are not in class NP. 

The following inclusions among the previous classes 
hold: 

P Ç NP Ç PSPACE Ç EXP Ç NEXP. 

Moreover, it is also known that P ^ EXP. Thus, at 
least one of the three firts inclusions in the long previous 
chain must be proper. But it is ignored which one. 

The classification does not end here. There are even 
more "monstrous" problcms, as far as complexity is con- 
cerned. For instance, pertaining to the Presburger arith- 
metic there exists a problem doubly exponential at least 
(time complexity 0(2 2 ) in the size n of the initial data). 

Let us now assume that our computers are PTMs. The 
corresponding classes are callcd random, and some of 
them stand out: 

i/ Class RP (Randomized Polynomial), consisting of 
those decision problems that a PTM T, always working 
in polynomial time (for every initial data), decides with 
error < \. Thcsc problcms are callcd polynomial Montc 
Cario. In other words, if L denotes the set of input data 



79 Given a complexity class X, a decision problem P 6 X is callcd 
X-complete whcn any Q £ X is polinomially reducible to P, i.e., 3 
a polynomial-timc map / : x *— > f(x) from the inputs of Q to the 
inputs of P such that Q(x) = 0, 1 iff P(f(x)) = 0, 1. 



having answer YES, i.e., 1, then 

i £ L prob(T(x) = 1) > ±, 
x i L =^ prob(T(a;) = 1) = 0. 

This means that all computational pathways that a PTM 
T can take from a data x <£ L end up with rejection 
(T(x) = 0, i.e., NO), whilc if x S L, then at least a 
fraction g of the possible paths end up with acceptance 
(T(x) = 1). Therefore, there cannot be falsc positives, 
and at most a fraction ^ of false negatives can happcn 
(cases in which x <= L and however the followcd path 
ends with rejection). Rcpcating the computation with 
the same x € L a number of times n > |~log 2 <5 _1 ] , where 
< 6 < 1, wc will be able to get that the probability of 
n consecutive false negatives be < S and thus as small 
as desired by appropriately choosing S, or equivalently, 
that the probability to obtain in that series of n trials 
some acceptance of x be > (1 — 8) and thus as close to 1 
as wc wish. In cascs of real "bad luck" it might happen 
that very long series would not contain any acceptance 
of x\ that is why it is often said that such T decides the 
problem in average case polynomial time. 

ii/ Class ZPP := RPncoRP (Zero-error Probabilistc 
Polynomial), where the class coRP is the complement 
of RP, that is, it contains those decision problems that 
answer (YES, NO) to an input iff there exists a problem 
in RP which answers (NO, YES) to the same input. 

The class ZPP thus contains those decision problcms 
for which there exist two PTM T R p and T coR p, always 
working in polynomial time and satisfying 

xeL^ prob(T RP (.T) = 1) > i,prob(T coRP (.T) = 1) = 0, 
x i L prob(T RP (.T) = 1) = 0,prob(r coRP ( a; ) = 1) > ±. 

These problems are called polynomial Las Vegas: they 
are Monte Cario, and so are thcir complements. In other 
words, they have two Monte Cario algorithms, one with- 
out false positives, and another one without falsc nega- 
tives. Most likely any input data will be decidable with 
certainty: it is enough that the algorithm without false 
positives says YES, or the one without false negatives 
says NO. In case of real bad luck, we shall have to repeat 
both until one of them yields a conclusive answer. 

Example: PRIMALITY is in ZPP. The Miller- 
Sclfridgc-Rabin algorithm (pseudo-primality strong test, 
1974) is of coMonteCarlo type, that is, PRIMALITY is 
in coRP (in fact, the probability of false positives, i.e., 
that one probable prime be composite, is < 1/4). That 
PRIMALITY in also in RP is a harder issue, and was 
proved by Adleman and Huang (1987), with the theory 
of Abclian varictics (gcncralization of elliptic curves to 
higher dimensions). 80 



Given an integer N, there exists a deterministic primality- 
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FIG. 57: Diffcrent classical complexity classes. On the 
right, we provisionally accept that BPP class is not a 
subsct of NP. 



iii/ Class BPP (Bounded-error Probabilistic Polyno- 
mial). It contains those decision problems for which there 
exists a PTM T always working in polynomial timc and 
satisfying 



x G L =^ prob(T(a;) = 1) > f 
x£L =^ prob(T(a;) = 1) < \ 



BPP problems are perhaps those representing best the 
notion of realistic computations. They are accepted or 
rejected by a PTM with the possibility to err. But the 
error probability is < j both on the acceptance as well 
as on the rejection. Repetition of the algorithm with the 
same input allows to amplify the probability of success, 
and, using the majority rule, to decide within polynomial 
time (average case time, except in bad luck instances) 
and with an error as small as required. It is not known 
whether BPP Ç NP, although it is believed that NP % 
BPP. It is clear that RP Ç BPP, and likewise BPP = 
coBPP. Gcnerically: 

P C ZPP ç RP ç (BPP, NP) Ç 
C PSPACE C EXP C NEXP. 



Fig. 57 shows the inclusions among the classical com- 



plexity classes (Papadimitriou, 1995). 



B. Quantum Complexity Classes 

When the computers cmployed in the computations 
are QTMs, the associated complexity classes are called 
quantum. Wc shall quote some of the most relevant: 

i/ Class QP (Quantum Polynomial), containing those 
(decision) problems solvable in polynomial time with a 
QTM. 



ii/ Class BQP (Bounded-error Quantum Polynomial). 
It contains those problems solvable with error < 1/4 in 
polynomial time with a QTM. 

iii/ Class ZQP (Zero-error probability Quantum Poly- 
nomial). Set of problems solvable with zero error proba- 
bility in expected polynomial time with a QTM. 

The following relations with the classical complexity 
classes hold: 

P § QP, BPP C BQP ç PSPACE. 

The proper inclusion of P in QP, shown by Bcrthi- 
aume and Brassard (1992), is very remarkable. It means 
that quantum computers can solve efficiently more prob- 
lems than their classical kin. It amounts to the first clear 
victory in the strict separation of classical and quantum 
complexities. 

The second chain of inclusions is due to Bernstein and 
Vazirani (1993). It remains open the crucial question of 
whether BPP Q BQP or not. That is, are there quan- 
tum "tractable" problems whic h are classically hard? Si- 
mon's algorithm (Subscc. X.B) is a first positivc indica- 
tion in the presence of a quantum oracle. Another fact 
supporting this point comes from Shor's algorithm (Sub- 
showing that FACTORIZATION and DIS- 



X.D) 



sec. 

CRETE LOGARITHM are in BQP, whereas the current 
state of the art does not allow us to assert that they are in 
BPP. The inclusion of BQP in PSPACE implies that 
it is possible to classically simulate, and with as good 
aproximation as desired, quantum problems with reason- 
able memory resources, although the simulation would 
be exponentially slow in time. That is why there are 
not solvable problems with QTMs escaping the domain 
of DTMs. Stated in a different way, quantum compu- 
tation d oes not contradict the Church-Turing hypothesis 
(Subsec. VIII A ). Only invoking efiiciency might classical 
TMs yield to QTMs. 

Even though we do not know whether BPP is a proper 
subset of BQP, we do know classical particular cases 
of algorithms (not complexity classes as a whole) that 
can be speeded-up quantumly with respect to their clas- 
sical running. Simon's algo rithm shows an exponential 
gain 0(2") — > 0{n) (Subsec. X.B ), and Grover's s hows a 
quadratic improvement 0{N) — > 0(N 1 ^ 2 ) (Subsec. |X.C| ). 
But is not always possible to specd-up the algorithm sub- 
stancially. There are oracle problems which do not admit 
an essential quantum speed-up; at the most it is possi- 
ble to go from N classical queries down to N/2 quantum 
queries. An example is the PARITY problem (to find 
the parity of the number of non-zero bits of a string in 
{0,1}", (Farhi et al., 1998)). 



testing algorithm, due to Adleman-Pomerance-Rumcly-Cohen- 
Lenstra (1980-81), with complexity 0((log 2 N) c lo S2 lo S2 l°s 2 
where c is a constant. A current typical computer takes about 
30 s for N with 100 decimal digits, about 8 min if N has 200 digits, 
and a reasonable time for 1000 digits. 
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